Platform
nodejs
Component
@openzeppelin/contracts
Fixed in
4.0.1
3.3.1
3.3.1
4.3.1
CVE-2021-39167 is a critical remote code execution (RCE) vulnerability discovered in the @openzeppelin/contracts library. This flaw allows an attacker with the executor role to immediately seize control of the timelock by resetting the delay to zero, effectively granting them unrestricted access to assets held within the contract. The vulnerability impacts versions prior to 4.3.1, and a fix has been released in those versions.
The impact of CVE-2021-39167 is severe, particularly for decentralized applications (dApps) relying on @openzeppelin/contracts for timelock functionality. An attacker who can obtain or assume the executor role can bypass the intended timelock delay, instantly executing privileged operations. If the executor role is set to 'open', anyone can assume this role, dramatically increasing the attack surface. This could lead to unauthorized asset transfers, contract modifications, or complete control over the dApp's functionality. The potential for financial loss and reputational damage is significant, especially in high-value DeFi protocols.
This vulnerability was publicly disclosed on August 30, 2021. While no active exploitation campaigns have been definitively confirmed, the critical severity and ease of exploitation make it a high-priority target. The vulnerability's impact on DeFi protocols makes it a potential candidate for inclusion in the CISA KEV catalog. Public proof-of-concept code is likely to emerge, increasing the risk of exploitation.
Exploit Status
EPSS
0.44% (63% percentile)
CVSS Vector
The primary mitigation for CVE-2021-39167 is to immediately upgrade to a patched version of @openzeppelin/contracts (4.3.1 or later) or @openzeppelin/contracts-upgradeable. If an immediate upgrade is not feasible due to breaking changes, consider temporarily restricting access to the timelock functionality or implementing stricter access controls for the executor role. Monitor contract logs for any unusual activity related to timelock operations. While a WAF or proxy cannot directly address this vulnerability, they can be configured to detect and block suspicious transactions involving the timelock contract.
Revoke the executor role from accounts not strictly under the team's control. We recommend revoking all executors that are not also proposers. When applying this mitigation, ensure there is at least one proposer and executor remaining.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2021-39167 is a critical vulnerability in @openzeppelin/contracts allowing an attacker to bypass timelock delays and gain control of contracts, potentially leading to asset theft.
You are affected if you are using @openzeppelin/contracts versions prior to 4.3.1 and your timelock contracts are vulnerable to unauthorized executor role manipulation.
Upgrade to @openzeppelin/contracts version 4.3.1 or later to patch the vulnerability. Review your contract configurations to ensure the executor role is not set to 'open'.
While no confirmed active exploitation campaigns are publicly known, the vulnerability's severity and ease of exploitation make it a high-risk target.
Refer to the official OpenZeppelin security advisory: https://blog.openzeppelin.com/security-advisory-timelock-vulnerabilities/
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.