The target contract of an EIP-165 `supportsInterface` query can cause unbounded gas consumption by returning a lot of data, while it is generally assumed that this operation has a bounded cost.

### Patches

The issue has been fixed in v4.7.2.

### References

https://github.com/OpenZeppelin/openzeppelin-contracts/pull/3587

### For more information

If you have any questions or comments about this advisory, or need assistance deploying a fix, email us at [[email protected]](mailto:[email protected]).

Affected Packages

npm @openzeppelin/contracts

Affected versions: 2.0.0 (fixed in 4.7.2)

npm openzeppelin-solidity

Affected versions: 2.0.0 (last affected: 4.6.0)

npm @openzeppelin/contracts-upgradeable

Affected versions: 3.2.0 (fixed in 4.7.2)

npm openzeppelin-eth

Affected versions: 2.0.0 (last affected: 2.2.0)

Related CVEs

CVE-2022-35915

Key Information

GHSA ID

GHSA-7grf-83vw-6f5x

Published

August 14, 2022 12:23 AM

Last Modified

August 14, 2022 12:23 AM

CVSS Score

5.0 /10

Primary Ecosystem

npm

Primary Package

@openzeppelin/contracts

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 12, 2025 6:29 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.