Impact
Upgradeable contracts using UUPSUpgradeable may be vulnerable to an attack affecting uninitialized implementation contracts. We will update this advisory with more information soon.
Patches
A fix is included in version 4.3.2 of @openzeppelin/contracts and @openzeppelin/contracts-upgradeable.
Workarounds
Initialize implementation contracts using UUPSUpgradeable by invoking the initializer function (usually called initialize). An example is provided in the forum.
References
For more information
If you have any questions or comments about this advisory, or need assistance executing the mitigation, email us at security@openzeppelin.com.
References
- https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-5vp3-v4hc-gx76
- https://nvd.nist.gov/vuln/detail/CVE-2021-41264
- https://github.com/OpenZeppelin/openzeppelin-contracts/commit/024cc50df478d2e8f78539819749e94d6df60592
- https://forum.openzeppelin.com/t/security-advisory-initialize-uups-implementation-contracts/15301
- https://github.com/advisories/GHSA-5vp3-v4hc-gx76