CVE-2024-27094

MEDIUM

Published 2024-02-29T18:18:24.721Z

Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2024-27094. We'll provide specific mitigation strategies based on your environment and risk profile.

CVSS Score

V3.1

6.5

/10

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H

Base Score Metrics

Exploitability: N/A Impact: N/A

EPSS Score

v2025.03.14

0.002

probability

of exploitation in the wild

There is a 0.2% chance that this vulnerability will be exploited in the wild within the next 30 days.

Updated: 2025-06-25

Exploit Probability

Percentile: 0.398

Higher than 39.8% of all CVEs

Attack Vector Metrics

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Impact Metrics

Confidentiality

NONE

Integrity

LOW

Availability

HIGH

Description

OpenZeppelin Contracts is a library for secure smart contract development. The `Base64.encode` function encodes a `bytes` input by iterating over it in chunks of 3 bytes. When this input is not a multiple of 3, the last iteration may read parts of the memory that are beyond the input buffer. The vulnerability is fixed in 5.0.2 and 4.9.6.

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

Affected Products

OpenZeppelin

openzeppelin-contracts

Affected Versions:

>= 4.5.0, < 4.9.6 >= 5.0.0-rc.0, < 5.0.2

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

✓ GitHub Reviewed LOW

OpenZeppelin Contracts base64 encoding may read from potentially dirty memory

GHSA-9vx6-7xxf-x967

Advisory Details

### Impact The `Base64.encode` function encodes a `bytes` input by iterating over it in chunks of 3 bytes. When this input is not a multiple of 3, the last iteration may read parts of the memory that are beyond the input buffer. Although the `encode` function pads the output for these cases, up to 4 bits of data are kept between the encoding and padding, corrupting the output if these bits were dirty (i.e. memory after the input is not 0). These conditions are more frequent in the following scenarios: - A `bytes memory` struct is allocated just after the input and the first bytes of it are non-zero. - The memory pointer is set to a non-empty memory location before allocating the input. Developers should evaluate whether the extra bits can be maliciously manipulated by an attacker. ### Patches Upgrade to 5.0.2 or 4.9.6. ### References This issue was reported by the Independent Security Researcher Riley Holterhus through Immunefi (@rileyholterhus on X)