Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/60159?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/60159?format=api", "purl": "pkg:npm/%40openzeppelin/contracts-upgradeable@4.3.0", "type": "npm", "namespace": "@openzeppelin", "name": "contracts-upgradeable", "version": "4.3.0", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "4.3.1", "latest_non_vulnerable_version": "5.4.0", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/109977?format=api", "vulnerability_id": "VCID-9pnw-9buy-5kab", "summary": "OpenZeppelin Contracts's GovernorVotesQuorumFraction updates to quorum may affect past defeated proposals\n### Impact\n\nThis issue concerns instances of Governor that use the module `GovernorVotesQuorumFraction`, a mechanism that determines quorum requirements as a percentage of the voting token's total supply. In affected instances, when a proposal is passed to lower the quorum requirement, past proposals may become executable if they had been defeated only due to lack of quorum, and the number of votes it received meets the new quorum requirement.\n\nAnalysis of instances on chain found only one proposal that met this condition, and we are actively monitoring for new occurrences of this particular issue.\n\n### Patches\n\nThis issue has been patched in v4.7.2.\n\n### Workarounds\n\nAvoid lowering quorum requirements if a past proposal was defeated for lack of quorum.\n\n### References\n\nhttps://github.com/OpenZeppelin/openzeppelin-contracts/pull/3561\n\n### For more information\n\nIf you have any questions or comments about this advisory, or need assistance deploying the fix, email us at [security@openzeppelin.com](mailto:security@openzeppelin.com).", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-31198", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00266", "scoring_system": "epss", "scoring_elements": "0.50325", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-31198" }, { "reference_url": "https://github.com/OpenZeppelin/openzeppelin-contracts", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/OpenZeppelin/openzeppelin-contracts" }, { "reference_url": "https://github.com/OpenZeppelin/openzeppelin-contracts/pull/3561", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:52:48Z/" } ], "url": "https://github.com/OpenZeppelin/openzeppelin-contracts/pull/3561" }, { "reference_url": "https://github.com/OpenZeppelin/openzeppelin-contracts/releases/tag/v4.7.2", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/OpenZeppelin/openzeppelin-contracts/releases/tag/v4.7.2" }, { "reference_url": "https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-xrc4-737v-9q75", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:52:48Z/" } ], "url": "https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-xrc4-737v-9q75" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31198", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31198" }, { "reference_url": "https://github.com/advisories/GHSA-xrc4-737v-9q75", "reference_id": "GHSA-xrc4-737v-9q75", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-xrc4-737v-9q75" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/148086?format=api", "purl": "pkg:npm/%40openzeppelin/contracts-upgradeable@4.7.2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/%2540openzeppelin/contracts-upgradeable@4.7.2" } ], "aliases": [ "CVE-2022-31198", "GHSA-xrc4-737v-9q75" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9pnw-9buy-5kab" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/42056?format=api", "vulnerability_id": "VCID-e2yb-zuf8-6qbk", "summary": "Improper Neutralization in @openzeppelin/contracts.", "references": [ { "reference_url": "https://github.com/OpenZeppelin/openzeppelin-contracts", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/OpenZeppelin/openzeppelin-contracts" }, { "reference_url": "https://github.com/advisories/GHSA-m6w8-fq7v-ph4m", "reference_id": "GHSA-m6w8-fq7v-ph4m", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-m6w8-fq7v-ph4m" }, { "reference_url": "https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-m6w8-fq7v-ph4m", "reference_id": "GHSA-m6w8-fq7v-ph4m", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-m6w8-fq7v-ph4m" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/60160?format=api", "purl": "pkg:npm/%40openzeppelin/contracts-upgradeable@4.4.2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/%2540openzeppelin/contracts-upgradeable@4.4.2" } ], "aliases": [ "GHSA-m6w8-fq7v-ph4m", "GMS-2022-61", "GMS-2022-62" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-e2yb-zuf8-6qbk" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/45334?format=api", "vulnerability_id": "VCID-mshr-yc9h-jufk", "summary": "Generation of Predictable Numbers or Identifiers\nOpenZeppelin Contracts is a library for smart contract development. By frontrunning the creation of a proposal, an attacker can become the proposer and gain the ability to cancel it. The attacker can do this repeatedly to try to prevent a proposal from being proposed at all. This impacts the `Governor` contract in v4.9.0 only, and the `GovernorCompatibilityBravo` contract since v4.3.0. This problem has been patched in 4.9.1 by introducing opt-in frontrunning protection. Users are advised to upgrade. Users unable to upgrade may submit the proposal creation transaction to an endpoint with frontrunning protection as a workaround.", "references": [ { "reference_url": "https://github.com/OpenZeppelin/openzeppelin-contracts", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/OpenZeppelin/openzeppelin-contracts" }, { "reference_url": "https://github.com/OpenZeppelin/openzeppelin-contracts/commit/d9474327a492f9f310f31bc53f38dbea56ed9a57", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-01-06T20:13:05Z/" } ], "url": "https://github.com/OpenZeppelin/openzeppelin-contracts/commit/d9474327a492f9f310f31bc53f38dbea56ed9a57" }, { "reference_url": "https://github.com/OpenZeppelin/openzeppelin-contracts/releases/tag/v4.9.1", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/OpenZeppelin/openzeppelin-contracts/releases/tag/v4.9.1" }, { "reference_url": "https://github.com/OpenZeppelin/openzeppelin-contracts-upgradeable/commit/66f390fa516b550838e2c2f65132b5bc2afe1ced", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/OpenZeppelin/openzeppelin-contracts-upgradeable/commit/66f390fa516b550838e2c2f65132b5bc2afe1ced" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34234", "reference_id": "CVE-2023-34234", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34234" }, { "reference_url": "https://github.com/advisories/GHSA-5h3x-9wvq-w4m2", "reference_id": "GHSA-5h3x-9wvq-w4m2", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-5h3x-9wvq-w4m2" }, { "reference_url": "https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-5h3x-9wvq-w4m2", "reference_id": "GHSA-5h3x-9wvq-w4m2", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-01-06T20:13:05Z/" } ], "url": "https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-5h3x-9wvq-w4m2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/65334?format=api", "purl": "pkg:npm/%40openzeppelin/contracts-upgradeable@4.9.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/%2540openzeppelin/contracts-upgradeable@4.9.1" } ], "aliases": [ "CVE-2023-34234", "GHSA-5h3x-9wvq-w4m2" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-mshr-yc9h-jufk" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/44961?format=api", "vulnerability_id": "VCID-r1tt-p7t8-ufgh", "summary": "Improper Input Validation\nOpenZeppelin Contracts is a library for secure smart contract development. The proposal creation entrypoint (`propose`) in `GovernorCompatibilityBravo` allows the creation of proposals with a `signatures` array shorter than the `calldatas` array. This causes the additional elements of the latter to be ignored, and if the proposal succeeds the corresponding actions would eventually execute without any calldata. The `ProposalCreated` event correctly represents what will eventually execute, but the proposal parameters as queried through `getActions` appear to respect the original intended calldata. This issue has been patched in 4.8.3. As a workaround, ensure that all proposals that pass through governance have equal length `signatures` and `calldatas` parameters.", "references": [ { "reference_url": "https://github.com/OpenZeppelin/openzeppelin-contracts", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/OpenZeppelin/openzeppelin-contracts" }, { "reference_url": "https://github.com/OpenZeppelin/openzeppelin-contracts/commit/8d633cb7d169f2f8595b273660b00b69e845c2fe", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/OpenZeppelin/openzeppelin-contracts/commit/8d633cb7d169f2f8595b273660b00b69e845c2fe" }, { "reference_url": "https://github.com/OpenZeppelin/openzeppelin-contracts/releases/tag/v4.8.3", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:L" }, { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-06T16:05:08Z/" } ], "url": "https://github.com/OpenZeppelin/openzeppelin-contracts/releases/tag/v4.8.3" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30542", "reference_id": "CVE-2023-30542", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30542" }, { "reference_url": "https://github.com/advisories/GHSA-93hq-5wgc-jc82", "reference_id": "GHSA-93hq-5wgc-jc82", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-93hq-5wgc-jc82" }, { "reference_url": "https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-93hq-5wgc-jc82", "reference_id": "GHSA-93hq-5wgc-jc82", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:L" }, { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-06T16:05:08Z/" } ], "url": "https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-93hq-5wgc-jc82" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/64739?format=api", "purl": "pkg:npm/%40openzeppelin/contracts-upgradeable@4.8.3", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/%2540openzeppelin/contracts-upgradeable@4.8.3" } ], "aliases": [ "CVE-2023-30542", "GHSA-93hq-5wgc-jc82" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-r1tt-p7t8-ufgh" } ], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/42649?format=api", "vulnerability_id": "VCID-4c19-crxp-93fh", "summary": "Inconsistent storage layout for ERC2771ContextUpgradeable\nThe storage layout of the ERC2771ContextUpgradeable is not constant", "references": [ { "reference_url": "https://github.com/OpenZeppelin/openzeppelin-contracts-upgradeable", "reference_id": "", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/OpenZeppelin/openzeppelin-contracts-upgradeable" }, { "reference_url": "https://github.com/OpenZeppelin/openzeppelin-transpiler/pull/86", "reference_id": "", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/OpenZeppelin/openzeppelin-transpiler/pull/86" }, { "reference_url": "https://github.com/advisories/GHSA-7j52-6fjp-58gr", "reference_id": "GHSA-7j52-6fjp-58gr", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-7j52-6fjp-58gr" }, { "reference_url": "https://github.com/OpenZeppelin/openzeppelin-contracts-upgradeable/security/advisories/GHSA-7j52-6fjp-58gr", "reference_id": "GHSA-7j52-6fjp-58gr", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/OpenZeppelin/openzeppelin-contracts-upgradeable/security/advisories/GHSA-7j52-6fjp-58gr" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/60159?format=api", "purl": "pkg:npm/%40openzeppelin/contracts-upgradeable@4.3.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9pnw-9buy-5kab" }, { "vulnerability": "VCID-e2yb-zuf8-6qbk" }, { "vulnerability": "VCID-mshr-yc9h-jufk" }, { "vulnerability": "VCID-r1tt-p7t8-ufgh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/%2540openzeppelin/contracts-upgradeable@4.3.0" } ], "aliases": [ "GHSA-7j52-6fjp-58gr", "GMS-2022-450" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-4c19-crxp-93fh" } ], "risk_score": "4.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/%2540openzeppelin/contracts-upgradeable@4.3.0" }