CVE-2023-40014

OpenZeppelin Contracts's ERC2771Context with custom forwarder may lead to zero-valued _msgSender

Description

OpenZeppelin Contracts is a library for secure smart contract development. Starting in version 4.0.0 and prior to version 4.9.3, contracts using `ERC2771Context` along with a custom trusted forwarder may see `_msgSender` return `address(0)` in calls that originate from the forwarder with calldata shorter than 20 bytes. This combination of circumstances does not appear to be common, in particular it is not the case for `MinimalForwarder` from OpenZeppelin Contracts, or any deployed forwarder the team is aware of, given that the signer address is appended to all calls that originate from these forwarders. The problem has been patched in v4.9.3.

Category

5.3
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 0.36%
Vendor Advisory github.com Vendor Advisory github.com Vendor Advisory github.com
Affected: OpenZeppelin openzeppelin-contracts
Published at:
Updated at:

References

Link Tags
https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-g4vp-m682-qqmp vendor advisory
https://github.com/OpenZeppelin/openzeppelin-contracts/pull/4481 patch vendor advisory
https://github.com/OpenZeppelin/openzeppelin-contracts/pull/4484 patch vendor advisory
https://github.com/OpenZeppelin/openzeppelin-contracts/commit/9445f96223041abf2bf08daa56f8da50b674cbcd patch
https://github.com/OpenZeppelin/openzeppelin-contracts/commit/e4435eed757d4309436b1e06608e97b6d6e2fdb5 patch
https://github.com/OpenZeppelin/openzeppelin-contracts/releases/tag/v4.9.3 release notes

Frequently Asked Questions

What is the severity of CVE-2023-40014?
CVE-2023-40014 has been scored as a medium severity vulnerability.
How to fix CVE-2023-40014?
To fix CVE-2023-40014, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2023-40014 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2023-40014 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2023-40014?
CVE-2023-40014 affects OpenZeppelin openzeppelin-contracts.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.