GHSA-5vp3-v4hc-gx76
GitHub Security Advisory
UUPSUpgradeable vulnerability in @openzeppelin/contracts
Advisory Details
### Impact
Upgradeable contracts using `UUPSUpgradeable` may be vulnerable to an attack affecting uninitialized implementation contracts. We will update this advisory with more information soon.
### Patches
A fix is included in version 4.3.2 of `@openzeppelin/contracts` and `@openzeppelin/contracts-upgradeable`.
### Workarounds
Initialize implementation contracts using `UUPSUpgradeable` by invoking the initializer function (usually called `initialize`). An example is provided [in the forum](https://forum.openzeppelin.com/t/security-advisory-initialize-uups-implementation-contracts/15301).
### References
[Post-mortem](https://forum.openzeppelin.com/t/uupsupgradeable-vulnerability-post-mortem/15680).
### For more information
If you have any questions or comments about this advisory, or need assistance executing the mitigation, email us at [email protected].
Affected Packages
Related CVEs
Key Information
Dataset
Data from GitHub Advisory Database. This information is provided for research and educational purposes.