medium
5.9
CWE
354
Advisory Published
Advisory Published
Updated

CVE-2023-34459: OpenZeppelin Contracts's MerkleProof multiproofs may allow proving arbitrary leaves for specific trees

First published: Fri Jun 16 2023(Updated: )

### Impact When the `verifyMultiProof`, `verifyMultiProofCalldata`, `processMultiProof`, or `processMultiProofCalldata` functions are in use, it is possible to construct merkle trees that allow forging a valid multiproof for an arbitrary set of leaves. A contract may be vulnerable if it uses multiproofs for verification and the merkle tree that is processed includes a node with value 0 at depth 1 (just under the root). This could happen inadvertently for balanced trees with 3 leaves or less, if the leaves are not hashed. This could happen deliberately if a malicious tree builder includes such a node in the tree. A contract is not vulnerable if it uses single-leaf proving (`verify`, `verifyCalldata`, `processProof`, or `processProofCalldata`), or if it uses multiproofs with a known tree that has hashed leaves. Standard merkle trees produced or validated with the [@openzeppelin/merkle-tree](https://github.com/OpenZeppelin/merkle-tree) library are safe. ### Patches The problem has been patched in 4.9.2. ### Workarounds If you are using multiproofs: When constructing merkle trees hash the leaves and do not insert empty nodes in your trees. Using the [@openzeppelin/merkle-tree](https://www.npmjs.com/package/@openzeppelin/merkle-tree) package eliminates this issue. Do not accept user-provided merkle roots without reconstructing at least the first level of the tree. Verify the merkle tree structure by reconstructing it from the leaves.

Credit: security-advisories@github.com

Affected SoftwareAffected VersionHow to fix
npm/@openzeppelin/contracts-upgradeable>=4.7.0<4.9.2
4.9.2
npm/@openzeppelin/contracts>=4.7.0<4.9.2
4.9.2
OpenZeppelin Contracts>=4.7.0<4.9.2
OpenZeppelin Contracts Upgradeable>=4.7.0<4.9.2

Remedy

https://github.com/OpenZeppelin/openzeppelin-contracts/commit/4d2383e17186be3e8ccf5a442e9686ecc7de1c55

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is the vulnerability associated with CVE-2023-34459?

    The vulnerability associated with CVE-2023-34459 is related to OpenZeppelin Contracts version 4.7.0 to 4.9.2 and allows for the construction of malicious Merkle trees.

  • How does the vulnerability in OpenZeppelin Contracts manifest?

    The vulnerability manifests when using the `verifyMultiProof`, `verifyMultiProofCalldata`, `procesprocessMultiProof`, or `processMultiProofCalldat` functions in OpenZeppelin Contracts versions 4.7.0 to 4.9.2.

  • What is the severity of the OpenZeppelin Contracts vulnerability (CVE-2023-34459)?

    The severity of the OpenZeppelin Contracts vulnerability (CVE-2023-34459) is medium with a CVSS score of 5.9.

  • Which versions of OpenZeppelin Contracts are affected by the vulnerability?

    OpenZeppelin Contracts versions 4.7.0 to 4.9.2 are affected by the vulnerability.

  • How can I fix the vulnerability in OpenZeppelin Contracts?

    To fix the vulnerability in OpenZeppelin Contracts, you should update to version 4.9.2 or later.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203