CVE-2021-41264 — Improper Initialization in Contracts

CWE-665 — Improper Initialization3 documents3 sources

Severity

9.8CRITICALNVD

EPSS

0.6%

top 29.40%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Openzeppelin Contracts Openzeppelin Contracts-upgradeable Openzeppelin Openzeppelin-contracts

Timeline

Latest updateSep 15

PublishedNov 12

Description

OpenZeppelin Contracts is a library for smart contract development. In affected versions upgradeable contracts using `UUPSUpgradeable` may be vulnerable to an attack affecting uninitialized implementation contracts. A fix is included in version 4.3.2 of `@openzeppelin/contracts` and `@openzeppelin/contracts-upgradeable`. For users unable to upgrade; initialize implementation contracts using `UUPSUpgradeable` by invoking the initializer function (usually called `initialize`). An example is provid…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages4 packages

▶npmopenzeppelin/contracts-upgradeable4.1.0 — 4.3.2

▶NVDopenzeppelin/contracts4.1.0 — 4.3.2

▶npmopenzeppelin/contracts4.1.0 — 4.3.2

▶CVEListV5openzeppelin/openzeppelin-contracts>= 4.1.0 < 4.3.2

Patches

Patch: forum.openzeppelin.com ↗Patch: github.com ↗Patch: forum.openzeppelin.com ↗

🔴Vulnerability Details

GHSA

UUPSUpgradeable vulnerability in @openzeppelin/contracts↗2021-09-15

▶

OSV

UUPSUpgradeable vulnerability in @openzeppelin/contracts↗2021-09-15

▶