Rholterhus

**Name of the Vulnerable Software and Affected Versions** OpenZeppelin Contracts versions prior to 4.9.6 OpenZeppelin Contracts versions prior to 5.0.2 **Description** The `Base64.encode` function in OpenZeppelin Contracts encodes a `bytes` input by iterating over it in chunks of 3 bytes. When this input is not a multiple of 3, the last iteration may read parts of the memory that are beyond the input buffer. Although the `encode` function pads the output for these cases, up to 4 bits of data are kept between the encoding and padding, corrupting the output if these bits were dirty. This issue can occur more frequently in certain scenarios, such as when a `bytes memory` struct is allocated just after the input and the first bytes of it are non-zero, or when the memory pointer is set to a non-empty memory location before allocating the input. Developers should evaluate whether the extra bits can be maliciously manipulated by an attacker. **Recommendations** For versions prior to 4.9.6, upgrade to 4.9.6. For versions prior to 5.0.2, upgrade to 5.0.2. As a temporary workaround, consider restricting the use of the `Base64.encode` function until a patch is applied.