CVE-2025-54070
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-07-17

Last updated on: 2025-07-17

Assigner: GitHub, Inc.

Description
OpenZeppelin Contracts is a library for secure smart contract development. Starting in version 5.2.0 and prior to version 5.4.0, the `lastIndexOf(bytes,byte,uint256)` function of the `Bytes.sol` library may access uninitialized memory when the following two conditions hold: 1) the provided buffer length is empty (i.e. `buffer.length == 0`) and position is not `2**256 - 1` (i.e. `pos != type(uint256).max`). The `pos` argument could be used to access arbitrary data outside of the buffer bounds. This could lead to the operation running out of gas, or returning an invalid index (outside of the empty buffer). Processing this invalid result for accessing the `buffer` would cause a revert under normal conditions. When triggered, the function reads memory at offset `buffer + 0x20 + pos`. If memory at that location (outside theΒ `buffer`) matches the search pattern, the function would return an out of bound index instead of the expected `type(uint256).max`. This creates unexpected behavior where callers receive a valid-looking index pointing outside buffer bounds. Subsequent memory accesses that don't check bounds and use the returned index must carefully review the potential impact depending on their setup. Code relying on this function returning `type(uint256).max` for empty buffers or using the returned index without bounds checking could exhibit undefined behavior. Users should upgrade to version 5.4.0 to receive a patch.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-07-17
Last Modified
2025-07-17
Generated
2026-05-07
AI Q&A
2025-07-17
EPSS Evaluated
2026-05-05
NVD
CVE-2025-54070
EUVD
EUVD-2025-21789
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
openzeppelin contracts-upgradeable 5.2.0
openzeppelin contracts-upgradeable 5.4.0
openzeppelin contracts 5.4.0
openzeppelin contracts 5.2.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability affects the lastIndexOf(bytes, byte, uint256) function in the Bytes.sol library of OpenZeppelin Contracts versions 5.2.0 up to but not including 5.4.0. When called on an empty buffer with a position argument not equal to the maximum uint256 value, the function reads memory outside the buffer bounds. If the out-of-bounds memory matches the search byte, the function returns an invalid index pointing outside the buffer instead of the expected maximum value. This can cause unexpected behavior such as running out of gas, returning invalid indices, or causing reverts if the returned index is used without proper bounds checking. [1]


How can this vulnerability impact me? :

The vulnerability can cause your smart contract code to behave unexpectedly if it relies on lastIndexOf returning the maximum uint256 value for empty buffers or uses the returned index without bounds checking. This may lead to out-of-gas errors, invalid index returns, or transaction reverts. The impact depends on how the returned index is used in your code. It does not directly affect confidentiality, integrity, or availability, but can cause undefined behavior or failures in contract execution. [1]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability is specific to the `lastIndexOf(bytes, byte, uint256)` function in the OpenZeppelin Contracts library versions >= 5.2.0 and < 5.4.0. Detection involves identifying usage of these vulnerable versions in your smart contracts or dependencies. Since it is a code-level issue, you can detect it by checking the version of OpenZeppelin Contracts used in your project. For example, you can run commands like `npm list @openzeppelin/contracts` or `yarn list @openzeppelin/contracts` in your project directory to see the installed version. Additionally, reviewing smart contract code for calls to `lastIndexOf` with empty buffers and non-maximum `pos` values can help identify potential triggers. There are no specific network commands to detect this vulnerability as it is a local code issue. [1]


What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation step is to upgrade the OpenZeppelin Contracts package to version 5.4.0 or later, where the vulnerability has been patched. This upgrade fixes the `lastIndexOf` function to correctly handle empty buffers and positions, preventing out-of-bounds memory access. Avoid using vulnerable versions (>= 5.2.0 and < 5.4.0) in your projects. Additionally, review your code to ensure that any use of the `lastIndexOf` function properly checks bounds and handles the returned index safely. [1, 2]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart