Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1xNGg5LTQ2eGctbTN4Oc0Vww
UUPSUpgradeable vulnerability in @openzeppelin/contracts-upgradeable
Impact
Upgradeable contracts using UUPSUpgradeable
may be vulnerable to an attack affecting uninitialized implementation contracts. We will update this advisory with more information soon.
Patches
A fix is included in version 4.3.2 of @openzeppelin/contracts
and @openzeppelin/contracts-upgradeable
.
Workarounds
Initialize implementation contracts using UUPSUpgradeable
by invoking the initializer function (usually called initialize
). An example is provided in the forum.
References
A post-mortem will be published in a few days in the OpenZeppelin Forum.
For more information
If you have any questions or comments about this advisory, or need assistance executing the mitigation, email us at [email protected].
Permalink: https://github.com/advisories/GHSA-q4h9-46xg-m3x9JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1xNGg5LTQ2eGctbTN4Oc0Vww
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 2 years ago
Updated: over 1 year ago
Identifiers: GHSA-q4h9-46xg-m3x9
References:
- https://github.com/OpenZeppelin/openzeppelin-contracts-upgradeable/security/advisories/GHSA-q4h9-46xg-m3x9
- https://github.com/advisories/GHSA-q4h9-46xg-m3x9
Blast Radius: 0.0
Affected Packages
npm:@openzeppelin/contracts-upgradeable
Dependent packages: 853Dependent repositories: 4,919
Downloads: 585,606 last month
Affected Version Ranges: >= 4.1.0, < 4.3.2
Fixed in: 4.3.2
All affected versions: 4.1.0, 4.2.0, 4.3.0, 4.3.1
All unaffected versions: 3.2.0, 3.3.0, 3.4.0, 3.4.1, 3.4.2, 4.0.0, 4.3.2, 4.3.3, 4.4.0, 4.4.1, 4.4.2, 4.5.0, 4.5.1, 4.5.2, 4.6.0, 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.8.0, 4.8.1, 4.8.2, 4.8.3, 4.9.0, 4.9.1, 4.9.2, 4.9.3, 4.9.4, 4.9.5, 4.9.6, 5.0.0, 5.0.1, 5.0.2