Vulnerability Database

309,130

Total vulnerabilities in the database

UUPSUpgradeable vulnerability in @openzeppelin/contracts-upgradeable

Impact

Upgradeable contracts using UUPSUpgradeable may be vulnerable to an attack affecting uninitialized implementation contracts. We will update this advisory with more information soon.

Patches

A fix is included in version 4.3.2 of @openzeppelin/contracts and @openzeppelin/contracts-upgradeable.

Workarounds

Initialize implementation contracts using UUPSUpgradeable by invoking the initializer function (usually called initialize). An example is provided in the forum.

References

A post-mortem will be published in a few days in the OpenZeppelin Forum.

For more information

If you have any questions or comments about this advisory, or need assistance executing the mitigation, email us at security@openzeppelin.com.

Published: Sep 15, 2021
Updated: Apr 14, 2023
GHSA: GHSA-q4h9-46xg-m3x9
Severity: Critical
Exploit:

No technical information available.

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
@openzeppelin / contracts-upgradeable	4.1.0	4.3.2

https://github.com/OpenZeppelin/openzeppelin-contracts-upgradeable/security/advisories/GHSA-q4h9-46xg-m3x9

Deep Security Visibility Without the Complexity

SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.

No setup fees
5-min deployment
Cancel anytime

Book a Demo