Vulnerability DatabaseWS-2021-0375
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
WS-2021-0375
Published:May 14, 2026
Updated:May 14, 2026
Impact Upgradeable contracts using "UUPSUpgradeable" may be vulnerable to an attack affecting uninitialized implementation contracts. We will update this advisory with more information soon. Patches A fix is included in version 4.3.2 of "@openzeppelin/contracts" and "@openzeppelin/contracts-upgradeable". Workarounds Initialize implementation contracts using "UUPSUpgradeable" by invoking the initializer function (usually called "initialize"). An example is provided "in the forum" (https://forum.openzeppelin.com/t/security-advisory-initialize-uups-implementation-contracts/15301). References A post-mortem will be published in a few days in the "OpenZeppelin Forum" (https://forum.openzeppelin.com/). For more information If you have any questions or comments about this advisory, or need assistance executing the mitigation, email us at security@openzeppelin.com.
Related Resources (3)
https://github.com/OpenZeppelin/openzeppelin-contracts-upgradeable
https://github.com/OpenZeppelin/openzeppelin-contracts-upgradeable/commit/5c21639dc39b9062310ee3ca30aa2c3a4feccd8f
https://github.com/OpenZeppelin/openzeppelin-contracts-upgradeable/security/advisories/GHSA-q4h9-46xg-m3x9
Do you need more information?
Contact Us
CVSS v4
Base Score:
8.8
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
NONE
Vulnerable System Integrity
LOW
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
8.2
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
NONE
Integrity
LOW
Availability
HIGH