CVE-2023-23940EPSS p12.4%

CVE-2023-23940CVE-2023-23940

openzeppelin / contracts

Description

OpenZeppelin Contracts for Cairo is a library for secure smart contract development written in Cairo for StarkNet, a decentralized ZK Rollup. `is_valid_eth_signature` is missing a call to `finalize_keccak` after calling `verify_eth_signature`. As a result, any contract using `is_valid_eth_signature` from the account library (such as the `EthAccount` preset) is vulnerable to a malicious sequencer. Specifically, the malicious sequencer would be able to bypass signature validation to impersonate an instance of these accounts. The issue has been patched in 0.6.1.

Scoring

CVSS 6.4 ()
VectorCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L
EPSS0.22% probability of exploitation · percentile 12.4% · 2026-06-19T12:03:05Z
Last modified2026-06-17
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.