QID 980117
QID 980117: Nodejs (npm) Security Update for contracts-upgradeable (GHSA-5vp3-v4hc-gx76)
Security update has been released for contracts-upgradeable,@openzeppelin/contracts to fix the vulnerability.
Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
Upgradeable contracts using `UUPSUpgradeable` may be vulnerable to an attack affecting uninitialized implementation contracts. We will update this advisory with more information soon.
Solution
A fix is included in version 4.3.2 of `@openzeppelin/contracts` and `@openzeppelin/contracts-upgradeable`.Workaround:
Initialize implementation contracts using `UUPSUpgradeable` by invoking the initializer function (usually called `initialize`). An example is provided [in the forum](https://forum.openzeppelin.com/t/security-advisory-initialize-uups-implementation-contracts/15301).
Initialize implementation contracts using `UUPSUpgradeable` by invoking the initializer function (usually called `initialize`). An example is provided [in the forum](https://forum.openzeppelin.com/t/security-advisory-initialize-uups-implementation-contracts/15301).
Vendor References
- GHSA-5vp3-v4hc-gx76 -
github.com/advisories/GHSA-5vp3-v4hc-gx76
CVEs related to QID 980117
Software Advisories
| Advisory ID | Software | Component | Link |
|---|---|---|---|
| GHSA-5vp3-v4hc-gx76 | @openzeppelin/contracts |
github.com/advisories/GHSA-5vp3-v4hc-gx76 |
|
| GHSA-5vp3-v4hc-gx76 | contracts-upgradeable |
github.com/advisories/GHSA-5vp3-v4hc-gx76 |