5.9

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2023-49798

GHSA ID

GHSA-699g-q6qh-q4v8

EPSS Score

0.58432%

CWE

CWE-670

Published

12/12/2023

Updated

12/12/2023

KEV Status

Technology

JavaScript

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-49798

CVE-2023-49798: OpenZeppelin Contracts and Contracts Upgradeable duplicated execution of subcalls in v4.9.4

Context

Merge conflict resolution issue when porting the v5.0.1 Multicall update to the v4.9 branch caused a duplicated line.

Impact

Versions using Multicall from @openzeppelin/contracts@4.9.4 and @openzeppelin/contracts-upgradeable@4.9.4 will execute each subcall twice. Concretely, this exposes a user to unintentionally duplicate operations like asset transfers.

Patches

The duplicated delegatecall was removed in 4.9.5. The 4.9.4 version is marked as deprecated.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2023-49798

CVE-2023-49798:

5.9

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2023-49798

GHSA ID

GHSA-699g-q6qh-q4v8

EPSS Score

0.58432%

CWE

CWE-670

Published

12/12/2023

Updated

12/12/2023

KEV Status

Technology

JavaScript

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
@openzeppelin/contracts	npm	= 4.9.4	4.9.5
@openzeppelin/contracts-upgradeable	npm	= 4.9.4	4.9.5

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from a duplicated 'functionDelegateCall' line in the multicall loop implementation, as shown in both the contracts and contracts-upgradeable commit diffs. The advisory explicitly states this caused double execution of subcalls. Both Multicall and MulticallUpgradeable versions in 4.9.4 contained this flawed loop structure, which was corrected by removing the duplicate line in 4.9.5. The functions' names and file paths are directly referenced in the diff and advisory context.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

5.9

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2023-49798: OpenZeppelin Contracts and Contracts Upgradeable duplicated execution of subcalls in v4.9.4

Context

Impact

Patches

CVE-2023-49798:

5.9

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

5.9

5.9

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2023-49798: OpenZeppelin Contracts and Contracts Upgradeable duplicated execution of subcalls in v4.9.4

Context

Impact

Patches

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI