GHSA-WPRV-93R4-JJ2P OpenZeppelin Contracts using MerkleProof multiproofs may allow proving arbitrary leaves for specific trees

Impact When the verifyMultiProof, verifyMultiProofCalldata, processMultiProof, or processMultiProofCalldata functions are in use, it is possible to construct merkle trees that allow forging a valid multiproof for an arbitrary set of leaves. A contract may be vulnerable if it uses multiproofs for...

OpenZeppelin Contracts using MerkleProof multiproofs may allow proving arbitrary leaves for specific trees

Impact When the verifyMultiProof, verifyMultiProofCalldata, processMultiProof, or processMultiProofCalldata functions are in use, it is possible to construct merkle trees that allow forging a valid multiproof for an arbitrary set of leaves. A contract may be vulnerable if it uses multiproofs for...

CVE-2023-34459 OpenZeppelin Contracts's MerkleProof multiproofs may allow proving arbitrary leaves for specific trees

OpenZeppelin Contracts is a library for smart contract development. Starting in version 4.7.0 and prior to version 4.9.2, when the verifyMultiProof, verifyMultiProofCalldata, procesprocessMultiProof, or processMultiProofCalldat functions are in use, it is possible to construct merkle trees that...