What is CVE-2023-26488?

CVE-2023-26488 is a vulnerability in the OpenZeppelin Contracts library that affects the ERC721Consecutive contract.

What is the severity of CVE-2023-26488?

The severity of CVE-2023-26488 is medium, with a severity value of 6.5.

How can I fix CVE-2023-26488 in OpenZeppelin Contracts?

To fix CVE-2023-26488 in OpenZeppelin Contracts, upgrade to version 4.8.2 or higher.

Where can I find more information about CVE-2023-26488?

More information about CVE-2023-26488 can be found in the OpenZeppelin Contracts repository and the associated security advisories.

Vulnerability/
CVE-2023-26488

medium

6.5

CWE

682

3/3/2023

25/2/2025

CVE-2023-26488: OpenZeppelin Contracts contains Incorrect Calculation

Q: How does CVE-2023-26488 affect OpenZeppelin Contracts?

CVE-2023-26488 affects OpenZeppelin Contracts by not updating balances when a batch has size 1 and consists of a single token, which can lead to balance overflow during subsequent transfers.

First published: Fri Mar 03 2023(Updated: )

OpenZeppelin Contracts is a library for secure smart contract development. The ERC721Consecutive contract designed for minting NFTs in batches does not update balances when a batch has size 1 and consists of a single token. Subsequent transfers from the receiver of that token may overflow the balance as reported by `balanceOf`. The issue exclusively presents with batches of size 1. The issue has been patched in 4.8.2.

Credit: security-advisories@github.com

Affected Software	Affected Version	How to fix
OpenZeppelin Contracts	>=4.8.0<4.8.2
OpenZeppelin Contracts Upgradeable	>=4.8.0<4.8.2

Remedy

https://github.com/OpenZeppelin/openzeppelin-contracts/commit/167bf67ed3907f4a674043496019fa346cee7705

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2023-26488?
CVE-2023-26488 is a vulnerability in the OpenZeppelin Contracts library that affects the ERC721Consecutive contract.
How does CVE-2023-26488 affect OpenZeppelin Contracts?
CVE-2023-26488 affects OpenZeppelin Contracts by not updating balances when a batch has size 1 and consists of a single token, which can lead to balance overflow during subsequent transfers.
What is the severity of CVE-2023-26488?
The severity of CVE-2023-26488 is medium, with a severity value of 6.5.
How can I fix CVE-2023-26488 in OpenZeppelin Contracts?
To fix CVE-2023-26488 in OpenZeppelin Contracts, upgrade to version 4.8.2 or higher.
Where can I find more information about CVE-2023-26488?
More information about CVE-2023-26488 can be found in the OpenZeppelin Contracts repository and the associated security advisories.

agent/type
collector/mitre-cve
source/MITRE
agent/weakness
agent/title
agent/references
agent/remedy
agent/severity
agent/last-modified-date
agent/author
agent/description
agent/first-publish-date
agent/event
agent/source
agent/softwarecombine
agent/tags
collector/nvd-index
agent/software-canonical-lookup-request
vendor/openzeppelin
canonical/openzeppelin contracts
version/openzeppelin contracts/4.8.0
canonical/openzeppelin contracts upgradeable
version/openzeppelin contracts upgradeable/4.8.0

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.