@openzeppelin/contracts and @openzeppelin/contracts-upgradeable are vulnerable to improper input validation. The vulnerability exists because an incorrect assumption about Solidity 0.8’s abi.decode
allows ERC165Checker
to revert instead of returning false
via a specifically crafted input request.
github.com/OpenZeppelin/openzeppelin-contracts-upgradeable/commit/5e9bccb282ee8f3c9c4abaccc74b40b9d34ccffa
github.com/OpenZeppelin/openzeppelin-contracts/commit/212de08e7f47b9836acca681ce0c9c6f91fe78aa
github.com/OpenZeppelin/openzeppelin-contracts/pull/3552
github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-qh9x-gcfh-pcrw