CVE-2023-26488
moderate-risk
Published 2023-03-03
OpenZeppelin Contracts is a library for secure smart contract development. The ERC721Consecutive contract designed for minting NFTs in batches does not update balances when a batch has size 1 and consists of a single token. Subsequent transfers from the receiver of that token may overflow the balance as reported by `balanceOf`. The issue exclusively presents with batches of size 1. The issue has been patched in 4.8.2.
Do I need to act?
-
0.32% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
6
CVSS 6.5/10
Medium
NETWORK
/ LOW complexity
Affected Products (2)
Contracts Upgradeable
Affected Vendors
References (6)
Third Party Advisory
https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-...
Third Party Advisory
https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-...
32
/ 100
moderate-risk
Severity
24/34 · High
Exploitability
1/34 · Minimal
Exposure
7/34 · Low