Platform
nodejs
Component
@openzeppelin/contracts-upgradeable
Fixed in
4.0.1
3.3.1
3.3.1
4.3.1
CVE-2021-39168 is a critical Remote Code Execution (RCE) vulnerability discovered in the @openzeppelin/contracts-upgradeable library. This flaw allows an attacker with the executor role to immediately seize control of the timelock by resetting the delay to zero, effectively granting them unrestricted access to assets held within the contract. The vulnerability impacts versions prior to 4.3.1, and a fix has been released in subsequent versions.
The impact of CVE-2021-39168 is severe, potentially leading to complete asset compromise. An attacker who gains control of the timelock can bypass intended delays and execute arbitrary actions, including transferring funds, modifying contract state, or even halting operations entirely. The vulnerability is particularly acute in instances where the executor role is set to 'open,' allowing anyone to assume the role and exploit the timelock. This is akin to a master key allowing unauthorized access to a secure vault. The potential for financial loss and reputational damage is significant, especially for decentralized applications (dApps) relying on @openzeppelin/contracts-upgradeable for secure asset management.
CVE-2021-39168 was publicly disclosed on August 30, 2021. While no active exploitation campaigns have been definitively confirmed, the vulnerability's critical severity and ease of exploitation make it a high-priority target. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept code is likely to emerge, increasing the risk of exploitation.
Exploit Status
EPSS
0.44% (63% percentile)
CVSS Vector
The primary mitigation for CVE-2021-39168 is to upgrade to a patched version of @openzeppelin/contracts or @openzeppelin/contracts-upgradeable, specifically version 4.3.1 or later. If immediate upgrading is not feasible due to compatibility issues or deployment complexities, consider temporarily restricting access to the executor role. Implement strict access controls and multi-signature requirements for timelock operations. Carefully review the timelock configuration to ensure the executor role is not set to 'open.' After upgrading, verify the timelock functionality by simulating a delayed action and confirming that the intended delay is enforced.
Revoke the executor role from accounts not strictly under the team's control. We recommend revoking all executors that are not also proposers. When applying this mitigation, ensure there is at least one proposer and executor remaining.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2021-39168 is a critical vulnerability in @openzeppelin/contracts-upgradeable allowing an attacker with the executor role to reset the timelock delay to 0, gaining unrestricted access to assets.
You are affected if you are using a version of @openzeppelin/contracts-upgradeable prior to 4.3.1, especially if the executor role is set to 'open.'
Upgrade to version 4.3.1 or later of @openzeppelin/contracts-upgradeable. Restrict access to the executor role if immediate upgrading is not possible.
While no confirmed active exploitation campaigns have been reported, the vulnerability's severity makes it a high-priority target and exploitation is possible.
Refer to the OpenZeppelin security advisory: https://blog.openzeppelin.com/security-advisory-cve-2021-39168/
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.