Contracts
CVE-2021-41264
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from Vendor (github) · only source for this CVE.
CVSS VectorVendor: github
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1Blast Radius
ecosystem impact- 71 npm packages depend on @openzeppelin/contracts (21 direct, 54 indirect)
Ecosystem-wide dependent count for version 4.1.0.
DescriptionCVE.org
OpenZeppelin Contracts is a library for smart contract development. In affected versions upgradeable contracts using UUPSUpgradeable may be vulnerable to an attack affecting uninitialized implementation contracts. A fix is included in version 4.3.2 of @openzeppelin/contracts and @openzeppelin/contracts-upgradeable. For users unable to upgrade; initialize implementation contracts using UUPSUpgradeable by invoking the initializer function (usually called initialize). An example is provided in the forum.
AnalysisAI
OpenZeppelin Contracts is a library for smart contract development. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Technical ContextAI
This vulnerability is classified under CWE-665. OpenZeppelin Contracts is a library for smart contract development. In affected versions upgradeable contracts using UUPSUpgradeable may be vulnerable to an attack affecting uninitialized implementation contracts. A fix is included in version 4.3.2 of @openzeppelin/contracts and @openzeppelin/contracts-upgradeable. For users unable to upgrade; initialize implementation contracts using UUPSUpgradeable by invoking the initializer function (usually called initialize). An example is provided in the forum. Affected products include: Openzeppelin Contracts. Version information: version 4.3.2.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
OpenZeppelin Contracts for Cairo is a library for contract development written in Cairo for StarkNet, a decentralized ZK
OpenZepplin is a library for smart contract development. Rated critical severity (CVSS 9.8), this vulnerability is remot
OpenZepplin is a library for smart contract development. Rated critical severity (CVSS 9.8), this vulnerability is remot
OpenZeppelin Contracts is a library for secure smart contract development. Rated high severity (CVSS 8.8), this vulnerab
OpenZeppelin Contracts is a library for smart contract development. Rated high severity (CVSS 7.5), this vulnerability i
OpenZeppelin Contracts is a library for secure smart contract development. Rated high severity (CVSS 7.5), this vulnerab
OpenZeppelin Contracts is a library for smart contract development. Rated high severity (CVSS 7.5), this vulnerability i
OpenZeppelin Contracts is a library for smart contract development. Rated high severity (CVSS 7.5), this vulnerability i
OpenZeppelin Contracts is a library for secure smart contract development. Rated high severity (CVSS 7.4), this vulnerab
Cairo-Contracts are OpenZeppelin Contracts written in Cairo for Starknet, a decentralized ZK Rollup. Rated medium severi
OpenZeppelin Contracts is a library for secure smart contract development. Rated medium severity (CVSS 6.5), this vulner
OpenZeppelin Contracts is a library for secure smart contract development. Rated medium severity (CVSS 6.5), this vulner
Same weakness CWE-665 – Improper Initialization
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today