Skip to content

UUPSUpgradeable vulnerability in OpenZeppelin Contracts

Critical
frangio published GHSA-q4h9-46xg-m3x9 Sep 14, 2021

Package

npm @openzeppelin/contracts-upgradeable (npm)

Affected versions

>= 4.1.0 < 4.3.2

Patched versions

4.3.2

Description

Impact

Upgradeable contracts using UUPSUpgradeable may be vulnerable to an attack affecting uninitialized implementation contracts. We will update this advisory with more information soon.

Patches

A fix is included in version 4.3.2 of @openzeppelin/contracts and @openzeppelin/contracts-upgradeable.

Workarounds

Initialize implementation contracts using UUPSUpgradeable by invoking the initializer function (usually called initialize). An example is provided in the forum.

References

A post-mortem will be published in a few days in the OpenZeppelin Forum.

For more information

If you have any questions or comments about this advisory, or need assistance executing the mitigation, email us at security@openzeppelin.com.

Severity

Critical

CVE ID

No known CVE

Weaknesses

No CWEs