Skip to main content

Improper Initialization


Severity High
Score 9.8/10


OpenZeppelin Contracts is a library for smart contract development. In affected versions upgradeable contracts using `UUPSUpgradeable` may be vulnerable to an attack affecting uninitialized implementation contracts. This vulnerability affects `@openzeppelin/contracts` and `@openzeppelin/contracts-upgradeable` in versions prior to 4.3.2. For users unable to upgrade; initialize implementation contracts using `UUPSUpgradeable` by invoking the initializer function (usually called `initialize`). An example is provided [in the forum](

  • LOW
  • HIGH
  • NONE
  • NONE
  • HIGH
  • HIGH

CWE-665 - Improper Initialization

The software does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used.

Advisory Timeline

  • Published