SCA: security update for @openzeppelin/contracts, @openzeppelin/contracts-upgradeable (GHSA-9rcw-c2f9-2j55)

medium Tenable Self-Hosted Container Security Plugin ID 428438

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- OpenZeppelin Contracts is a library for secure smart contract development. Starting in version 5.2.0 and
prior to version 5.4.0, the `lastIndexOf(bytes,byte,uint256)` function of the `Bytes.sol` library may
access uninitialized memory when the following two conditions hold: 1) the provided buffer length is empty
(i.e. `buffer.length == 0`) and position is not `2**256 - 1` (i.e. `pos != type(uint256).max`). The `pos`
argument could be used to access arbitrary data outside of the buffer bounds. This could lead to the
operation running out of gas, or returning an invalid index (outside of the empty buffer). Processing this
invalid result for accessing the `buffer` would cause a revert under normal conditions. When triggered,
the function reads memory at offset `buffer + 0x20 + pos`. If memory at that location (outside the
`buffer`) matches the search pattern, the function would return an out of bound index instead of the
expected `type(uint256).max`. This creates unexpected behavior where callers receive a valid-looking index
pointing outside buffer bounds. Subsequent memory accesses that don't check bounds and use the returned
index must carefully review the potential impact depending on their setup. Code relying on this function
returning `type(uint256).max` for empty buffers or using the returned index without bounds checking could
exhibit undefined behavior. Users should upgrade to version 5.4.0 to receive a patch. (CVE-2025-54070)

See Also

https://github.com/advisories/GHSA-9rcw-c2f9-2j55

Plugin Details

Severity: Medium

ID: 428438

Version: Revision 1.5

Type: Local

Family: SCA Checks

Published: 7/18/2025

Updated: 4/20/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 0

Percentile: 0

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2025-54070

CVSS v3

Risk Factor: High

Base Score: 8.4

Temporal Score: 7.3

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: Medium

Base Score: 6.9

Threat Score: 2.7

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 7/17/2025

Vulnerability Publication Date: 7/17/2025

Reference Information

CVE: CVE-2025-54070

cwe: CWE-125