CVE-2025-53638
BaseFortify
Publication date: 2025-07-17
Last updated on: 2025-07-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| vectorized | solady | 0.1.24 |
| vectorized | solady | 0.0.125 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-754 | The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability occurs in the Solady npm package versions 0.0.125 up to but not including 0.1.24. When an account is deployed via a proxy, calling its initialization function using regular Solidity calls may silently fail if the initialization function does not return a boolean or any return data. This happens because Solidity uses extcodesize(proxy) to check if the call succeeded, but this check fails when the proxy points to an empty implementation contract (a contract with no code). As a result, the initialization may fail silently, causing unexpected behavior in deployed accounts. [1]
How can this vulnerability impact me? :
This vulnerability can cause the initialization function of a deployed account via a proxy to silently fail without any indication of failure. This can lead to unexpected or incorrect behavior in the deployed accounts, potentially causing security or functional issues in applications relying on these contracts. Users may experience deployment issues or malfunctioning accounts if they use affected versions of Solady without the patch. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if any deployed proxy contracts point to empty implementation contracts (contracts with no code) and if initialization functions are called using standard Solidity calls that do not return a boolean or any return data. One way to detect this is to inspect the extcodesize of the implementation contract addresses used by proxies. For example, using an Ethereum client or tools like ethers.js or web3.js, you can run commands to check the code size at the implementation address. A sample command using web3.js could be: web3.eth.getCode(implementationAddress) and verify if the returned code is '0x' (empty). If so, the proxy points to an empty implementation, indicating potential vulnerability. Additionally, reviewing transaction logs for silent failures during initialization calls may help detect the issue. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading the Solady package to version 0.1.24 or later, which contains the patch with proper extcodesize validation. Additionally, redeploy any affected implementations and their factories on new EVM chains as soon as possible to avoid using vulnerable proxy deployments. Avoid using standard Solidity calls for initialization functions that do not return a boolean or any return data until the upgrade is applied. [1]