Critical severityNVD Advisory· Published Nov 12, 2021· Updated Aug 4, 2024
UUPSUpgradeable vulnerability in OpenZeppelin Contracts
CVE-2021-41264
Description
OpenZeppelin Contracts is a library for smart contract development. In affected versions upgradeable contracts using UUPSUpgradeable may be vulnerable to an attack affecting uninitialized implementation contracts. A fix is included in version 4.3.2 of @openzeppelin/contracts and @openzeppelin/contracts-upgradeable. For users unable to upgrade; initialize implementation contracts using UUPSUpgradeable by invoking the initializer function (usually called initialize). An example is provided in the forum.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@openzeppelin/contractsnpm | >= 4.1.0, < 4.3.2 | 4.3.2 |
@openzeppelin/contracts-upgradeablenpm | >= 4.1.0, < 4.3.2 | 4.3.2 |
Affected products
3- ghsa-coords2 versions
>= 4.1.0, < 4.3.2+ 1 more
- (no CPE)range: >= 4.1.0, < 4.3.2
- (no CPE)range: >= 4.1.0, < 4.3.2
- Range: >= 4.1.0 < 4.3.2
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-5vp3-v4hc-gx76ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-41264ghsaADVISORY
- forum.openzeppelin.com/t/security-advisory-initialize-uups-implementation-contracts/15301ghsax_refsource_MISCWEB
- github.com/OpenZeppelin/openzeppelin-contracts/commit/024cc50df478d2e8f78539819749e94d6df60592ghsax_refsource_MISCWEB
- github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-5vp3-v4hc-gx76ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.