Skip to content

UUPSUpgradeable vulnerability in OpenZeppelin Contracts

Critical
frangio published GHSA-5vp3-v4hc-gx76 Sep 14, 2021

Package

npm @openzeppelin/contracts (npm)

Affected versions

>= 4.1.0 < 4.3.2

Patched versions

4.3.2
npm @openzeppelin/contracts-upgradeable (npm)
>= 4.1.0 < 4.3.2
4.3.2

Description

Impact

Upgradeable contracts using UUPSUpgradeable may be vulnerable to an attack affecting uninitialized implementation contracts. We will update this advisory with more information soon.

Patches

A fix is included in version 4.3.2 of @openzeppelin/contracts and @openzeppelin/contracts-upgradeable.

Workarounds

Initialize implementation contracts using UUPSUpgradeable by invoking the initializer function (usually called initialize). An example is provided in the forum.

References

Post-mortem.

For more information

If you have any questions or comments about this advisory, or need assistance executing the mitigation, email us at security@openzeppelin.com.

Severity

Critical

CVE ID

CVE-2021-41264

Weaknesses

No CWEs