UUPSUpgradeable vulnerability in OpenZeppelin Contracts
Description
OpenZeppelin Contracts is a library for smart contract development. In affected versions upgradeable contracts using UUPSUpgradeable may be vulnerable to an attack affecting uninitialized implementation contracts. A fix is included in version 4.3.2 of @openzeppelin/contracts and @openzeppelin/contracts-upgradeable. For users unable to upgrade; initialize implementation contracts using UUPSUpgradeable by invoking the initializer function (usually called initialize). An example is provided in the forum.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Uninitialized UUPSUpgradeable implementation contracts in OpenZeppelin v4.1.0–4.3.1 are vulnerable; fixed in v4.3.2.
Vulnerability
Upgradeable contracts using the UUPSUpgradeable pattern from OpenZeppelin Contracts versions 4.1.0 through 4.3.1 are vulnerable if the implementation contract is not initialized. The bug allows an attacker to call upgradeTo or upgradeToAndCall on an uninitialized implementation contract, potentially taking control of the proxy's upgrade mechanism [1][2].
Exploitation
An attacker does not need any special privileges; the attack can be executed by directly calling upgradeTo on the uninitialized implementation contract address. The attacker must deploy a malicious implementation and then invoke the upgrade function on the target implementation contract, which lacks the onlyProxy modifier introduced in the fix [4]. No user interaction is required.
Impact
Successful exploitation allows the attacker to upgrade the proxy's implementation to a malicious contract, gaining full control over the proxy's storage and functions. This can lead to complete compromise of the upgradeable contract's state and logic, including theft of funds or data [1][2].
Mitigation
The vulnerability is fixed in OpenZeppelin Contracts v4.3.2 and @openzeppelin/contracts-upgradeable v4.3.2 [4]. Users unable to upgrade should immediately invoke the initializer function on their implementation contracts to initialize them, as described in the security advisory [1].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@openzeppelin/contractsnpm | >= 4.1.0, < 4.3.2 | 4.3.2 |
@openzeppelin/contracts-upgradeablenpm | >= 4.1.0, < 4.3.2 | 4.3.2 |
Affected products
3- ghsa-coords2 versions
>= 4.1.0, < 4.3.2+ 1 more
- (no CPE)range: >= 4.1.0, < 4.3.2
- (no CPE)range: >= 4.1.0, < 4.3.2
- OpenZeppelin/openzeppelin-contractsv5Range: >= 4.1.0 < 4.3.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-5vp3-v4hc-gx76ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-41264ghsaADVISORY
- forum.openzeppelin.com/t/security-advisory-initialize-uups-implementation-contracts/15301ghsax_refsource_MISCWEB
- github.com/OpenZeppelin/openzeppelin-contracts/commit/024cc50df478d2e8f78539819749e94d6df60592ghsax_refsource_MISCWEB
- github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-5vp3-v4hc-gx76ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.