Shared-library version with known-vuln status

Chainlink CCIP's assessment for RD-F-135 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

OZ v4.9.2 is not on any active high/critical CVE or GHSA advisory list as of 2026-05-16. The 4.9.2 release itself contains a critical bugfix for MerkleProof.processMultiProof — meaning the fix is included, not the vulnerability. No active advisory for OZ v4.9.2 or OZ v5.0.2.

Sources #

GitHub
OpenZeppelin v4.9.2 — MerkleProof fix included, no open high/critical advisoryOZ v4.9.2 changelog — includes MerkleProof critical fixretrieved 2026-05-16

Methodology #

Identify the version of key shared libraries (OZ, Solady, Solmate) used and check against CVE/GHSA databases for any active advisory.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol chainlink-ccip factor RD-F-135 score green collected_at 2026-05-16 01:55:09