GHSA-7j52-6fjp-58gr
Inconsistent storage layout for ERC2771ContextUpgradeable
Blast Radius
Weekly download volume for affected packages — a proxy for how broadly this vulnerability is deployed.
@openzeppelin/contracts-upgradeablenpmDescription
Impact
The storage layout of the ERC2771ContextUpgradeable is not constant between versions.
- versions
4.0.0,4.1.0and4.2.0, the contract has a length of 51 slots. - since
4.3.0, the contract has a length of 50 slots - future versions will continue using 50 slots.
This difference in layout could result in breaking upgrades if someone upgrades from an affected version to a non-affected version. It is thus recommended to be extremely careful when upgrading from a contract that uses ERC2771ContextUpgradeable <4.3.0 to a newer version that uses >=4.3.0.
We've assessed the instances of this contract found on chain (with publicly verified source code) and notified the corresponding teams of the risk that an upgrade could cause.
Workarounds
Potentially breaking upgrades would be caught by the OpenZeppelin Upgrades Plugins for Hardhat and Truffle. It is recommended to use this tooling for all your upgrades.
If you need to upgrade to a newer version of the Upgradeable Contracts library, we recommend copying the previous implementation ERC2771ContextUpgradeable (available in the release-4.2 branch) and packaging it with your code.
Reference
https://github.com/OpenZeppelin/openzeppelin-transpiler/pull/86
For more information
If you have any questions, comments, or need assistance regarding this advisory, email us at [email protected].
To submit security reports please use our bug bounty on Immunefi.
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 📦npm | @openzeppelin/contracts-upgradeable | ≥ 4.0.0&&< 4.3.0 | 4.3.0 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for @openzeppelin/contracts-upgradeable. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update @openzeppelin/contracts-upgradeable to 4.3.0 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-7j52-6fjp-58gr is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-7j52-6fjp-58gr is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-7j52-6fjp-58gr. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-7j52-6fjp-58gr in your dependencies?
O3 detects GHSA-7j52-6fjp-58gr across npm dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.