CVE/GHSA advisory issued against protocol

Uniswap (v2 + v3)'s assessment for RD-F-178 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

GHSA-7m37-cx35-qgmr (CVE-2022-48216) exists for @uniswap/universal-router <1.1.0 (High, CVSS 7.5). Patched pre-deployment — no user funds at risk. Covers V3 periphery (Universal Router), not V3 core or V2 core. V2 core: green (no advisory). V3 core: green (no advisory). V3 periphery: yellow (advisory exists, fully patched). Combined: yellow.

Detail #

GHSA-7m37-cx35-qgmr was published 2023-01-04 by NVD as CVE-2022-48216. Severity: High (CVSS 7.5). Affected package: @uniswap/universal-router < 1.1.0. Vulnerability: reentrancy in execute() function of Universal Router. The vulnerability was discovered by Dedaub and disclosed responsibly. Fix: Uniswap Labs patched the vulnerability in v1.1.0 and the Universal Router was launched with the fix in place — no user funds were ever at risk. The advisory covers a V3 periphery contract (Universal Router), not V3 core (Pool, Factory) or V2 core. Searched for V2 core CVEs/GHSAs: none found. Searched for V3 core (Factory, Pool) CVEs/GHSAs: none found. Combined slug assessment: yellow (advisory exists for a component covered by the assessment, fully patched, zero user loss). Score: yellow.

Sources #

URL
NVD CVE-2022-48216 — Uniswap Universal RouterNVD CVE-2022-48216retrieved 2026-04-29
URL
GitHub Advisory GHSA-7m37-cx35-qgmr — Universal Router reentrancyGHSA-7m37-cx35-qgmr advisoryretrieved 2026-04-29
URL
Uniswap Universal Router Reentrancy Disclosure — DedaubDedaub disclosure — pre-deployment fix confirmedretrieved 2026-05-12

Methodology #

Determine whether a CVE, GHSA, or equivalent public advisory has been issued against this protocol or its code.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol uniswap factor RD-F-178 score yellow collected_at 2026-05-12 10:36:11