CVE-2021-46320
Description
In OpenZeppelin <=v4.4.0, initializer functions that are invoked separate from contract creation (the most prominent example being minimal proxies) may be reentered if they make an untrusted non-view external call. Once an initializer has finished running it can never be re-executed. However, an exception put in place to support multiple inheritance made reentrancy possible, breaking the expectation that there is a single execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
OpenZeppelin Contracts ≤4.4.0 allow reentrant initialization in minimal proxies when the initializer makes an untrusted external call.
Vulnerability
The initializer modifier in OpenZeppelin Contracts versions up to and including v4.4.0 incorrectly allowed reentrancy during initialization when the initializer function performs an untrusted non-view external call. The issue exists because an exception handling multiple inheritance prevented the modifier from detecting recursive invocations, breaking the guarantee of single execution. This primarily affects minimal proxy patterns where initialization is separated from contract creation [1][3].
Exploitation
An attacker must be able to trigger an initializer function that makes an untrusted external call (e.g., to a contract the attacker controls) before the initializer completes. Through that external call, the attacker re-enters the same initializer function on the same contract instance. This requires the contract to be initialized via a separate transaction (not at deployment time) and the initializer to invoke a non-view call to an address the attacker influences [3].
Impact
Successfully reentering the initializer allows the attacker to re-execute the initialization logic, potentially setting critical state variables (e.g., owner, admin) to attacker-controlled values. This can lead to full compromise of the contract's access control and intended functionality, depending on what the initializer sets [3].
Mitigation
The vulnerability is fixed in OpenZeppelin Contracts v4.4.1 of both @openzeppelin/contracts and @openzeppelin/contracts-upgradeable. The fix introduces the onlyInitializing modifier for use in upgradeable contracts and prevents nested initializer calls. Users should upgrade to v4.4.1 or later. As a workaround, avoid untrusted external calls inside initializer functions [3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@openzeppelin/contractsnpm | < 4.4.1 | 4.4.1 |
Affected products
2- OpenZeppelin/OpenZeppelindescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-88g8-f5mf-f5rjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-46320ghsaADVISORY
- github.com/OpenZeppelin/openzeppelin-contracts/pull/3006ghsaWEB
- github.com/OpenZeppelin/openzeppelin-contracts/releases/tag/v4.4.1ghsaWEB
- github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-9c22-pwxw-p6hxghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.