Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-699g-q6qh-q4v8

GitHub Security Advisory

OpenZeppelin Contracts and Contracts Upgradeable duplicated execution of subcalls in v4.9.4

✓ GitHub Reviewed MODERATE Has CVE
View on GitHub

Advisory Details


### Context
Merge conflict resolution issue when porting the v5.0.1 `Multicall` update to the v4.9 branch caused a duplicated line.

### Impact
Versions using `Multicall` from `@openzeppelin/[email protected]` and `@openzeppelin/[email protected]` will execute each subcall twice. Concretely, this exposes a user to unintentionally duplicate operations like asset transfers.

### Patches
The duplicated `delegatecall` was removed in 4.9.5. The 4.9.4 version is marked as deprecated.

Affected Packages

npm @openzeppelin/contracts
Affected versions: 4.9.4 (fixed in 4.9.5)
npm @openzeppelin/contracts-upgradeable
Affected versions: 4.9.4 (fixed in 4.9.5)

Related CVEs

CVE-2023-49798

Key Information

GHSA ID
GHSA-699g-q6qh-q4v8
Published
December 12, 2023 12:49 AM
Last Modified
December 12, 2023 12:49 AM
CVSS Score
5.0 /10
Primary Ecosystem
npm
Primary Package
@openzeppelin/contracts
GitHub Reviewed
✓ Yes

Dataset

Last updated: July 12, 2025 6:29 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.