Update dependency @openzeppelin/contracts to v5.4.0 [SECURITY] #1268
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?s=60&v=4){kind=small}
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
5.3.0->5.4.0GitHub Vulnerability Alerts
CVE-2025-54070
Impact
The
lastIndexOf(bytes,byte,uint256)function of theBytes.sollibrary may access uninitialized memory when the following two conditions hold: 1) the provided buffer length is empty (i.e.buffer.length == 0) and position is not2**256 - 1(i.e.pos != type(uint256).max).The
posargument could be used to access arbitrary data outside of the buffer bounds. This could lead to the operation running out of gas, or returning an invalid index (outside of the empty buffer). Processing this invalid result for accessing thebufferwould cause a revert under normal conditions.When triggered, the function reads memory at offset
buffer + 0x20 + pos. If memory at that location (outside thebuffer) matches the search pattern, the function would return an out of bound index instead of the expectedtype(uint256).max. This creates unexpected behavior where callers receive a valid-looking index pointing outside buffer bounds.Subsequent memory accesses that don't check bounds and use the returned index must carefully review the potential impact depending on their setup. Code relying on this function returning
type(uint256).maxfor empty buffers or using the returned index without bounds checking could exhibit undefined behavior.Patches
Upgrade to 5.4.0
Release Notes
OpenZeppelin/openzeppelin-contracts (@openzeppelin/contracts)
v5.4.0Compare Source
Breaking changes
SignatureChecker,Governorand Governor's extensions. (#5716).Pragma changes
Changes by category
Account
Account: Added a simple ERC-4337 account implementation with minimal logic to process user operations. (#5657)AccountERC7579: Extension ofAccountthat implements support for ERC-7579 modules of type executor, validator, and fallback handler. (#5657)AccountERC7579Hooked: Extension ofAccountERC7579that implements support for ERC-7579 hook modules. (#5657)EIP7702Utils: Add a library for checking if an address has an EIP-7702 delegation in place. (#5587)IERC7821,ERC7821: Interface and logic for minimal batch execution. No support for additionalopDatais included. (#5657)Governance
GovernorNoncesKeyed: Extension ofGovernorthat adds support for keyed nonces when voting by sig. (#5574)Tokens
ERC20Bridgeable: Implementation of ERC-7802 that makes an ERC-20 compatible with crosschain bridges. (#5739)Cryptography
Signers
AbstractSigner,SignerECDSA,SignerP256, andSignerRSA: Add an abstract contract and various implementations for contracts that deal with signature verification. (#5657)SignerERC7702: Implementation ofAbstractSignerfor Externally Owned Accounts (EOAs). Useful with ERC-7702. (#5657)SignerERC7913: Abstract signer that verifies signatures using the ERC-7913 workflow. (#5659)MultiSignerERC7913: Implementation ofAbstractSignerthat supports multiple ERC-7913 signers with a threshold-based signature verification system. (#5659)MultiSignerERC7913Weighted: Extension ofMultiSignerERC7913that supports assigning different weights to each signer, enabling more flexible governance schemes. (#5741)Verifiers
ERC7913P256VerifierandERC7913RSAVerifier: Ready to use ERC-7913 verifiers that implement key verification for P256 (secp256r1) and RSA keys. (#5659)Other
SignatureChecker: Add support for ERC-7913 signatures alongside existing ECDSA and ERC-1271 signature verification. (#5659)ERC7739: An abstract contract to validate signatures following the rehashing scheme fromERC7739Utils. (#5664)ERC7739Utils: Add a library that implements a defensive rehashing mechanism to prevent replayability of smart contract signatures based on the ERC-7739. (#5664)Structures
EnumerableMap: Add support forBytesToBytesMaptype. (#5658)EnumerableMap: Addkeys(uint256,uint256)that returns a subset (slice) of the keys in the map. (#5713)EnumerableSet: Add support forStringSetandBytesSettypes. (#5658)EnumerableSet: Addvalues(uint256,uint256)that returns a subset (slice) of the values in the set. (#5713)Utils
Arrays: AddunsafeAccess,unsafeMemoryAccessandunsafeSetLengthforbytes[]andstring[]. (#5568)Blockhash: Add a library that provides access to historical block hashes using EIP-2935's history storage, extending the standard 256-block limit to 8191 blocks. (#5642)Bytes: FixlastIndexOf(bytes,byte,uint256)with empty buffers and finite position to correctly returntype(uint256).maxinstead of accessing uninitialized memory sections. (#5797)Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.