प्लेटफ़ॉर्म
nodejs
घटक
@openzeppelin/contracts
में ठीक किया गया
4.0.1
3.3.1
3.3.1
4.3.1
CVE-2021-39167 is a critical remote code execution (RCE) vulnerability discovered in the @openzeppelin/contracts library. This flaw allows an attacker with the executor role to immediately seize control of the timelock by resetting the delay to zero, effectively granting them unrestricted access to assets held within the contract. The vulnerability impacts versions prior to 4.3.1, and a fix has been released in those versions.
The impact of CVE-2021-39167 is severe, particularly for decentralized applications (dApps) relying on @openzeppelin/contracts for timelock functionality. An attacker who can obtain or assume the executor role can bypass the intended timelock delay, instantly executing privileged operations. If the executor role is set to 'open', anyone can assume this role, dramatically increasing the attack surface. This could lead to unauthorized asset transfers, contract modifications, or complete control over the dApp's functionality. The potential for financial loss and reputational damage is significant, especially in high-value DeFi protocols.
This vulnerability was publicly disclosed on August 30, 2021. While no active exploitation campaigns have been definitively confirmed, the critical severity and ease of exploitation make it a high-priority target. The vulnerability's impact on DeFi protocols makes it a potential candidate for inclusion in the CISA KEV catalog. Public proof-of-concept code is likely to emerge, increasing the risk of exploitation.
Decentralized applications (dApps) and DeFi protocols that utilize @openzeppelin/contracts for timelock functionality are at significant risk. Projects with improperly configured executor roles (set to 'open') are particularly vulnerable. Smart contract developers and auditors should prioritize patching and reviewing their code.
• nodejs / smart contracts:
npm audit @openzeppelin/contracts• nodejs / smart contracts:
grep -r "TimelockController" . --include="*.sol"• nodejs / smart contracts: Examine contract deployment code for instances where the executor role is set to 'open'. • nodejs / smart contracts: Review contract logs for any transactions that immediately execute timelock functions.
disclosure
patch
एक्सप्लॉइट स्थिति
EPSS
0.44% (63% शतमक)
CVSS वेक्टर
The primary mitigation for CVE-2021-39167 is to immediately upgrade to a patched version of @openzeppelin/contracts (4.3.1 or later) or @openzeppelin/contracts-upgradeable. If an immediate upgrade is not feasible due to breaking changes, consider temporarily restricting access to the timelock functionality or implementing stricter access controls for the executor role. Monitor contract logs for any unusual activity related to timelock operations. While a WAF or proxy cannot directly address this vulnerability, they can be configured to detect and block suspicious transactions involving the timelock contract.
Revocar el rol de ejecutor de las cuentas que no estén estrictamente bajo el control del equipo. Se recomienda revocar todos los ejecutores que no sean también proponentes. Al aplicar esta mitigación, asegúrese de que quede al menos un proponente y un ejecutor.
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2021-39167 is a critical vulnerability in @openzeppelin/contracts allowing an attacker to bypass timelock delays and gain control of contracts, potentially leading to asset theft.
You are affected if you are using @openzeppelin/contracts versions prior to 4.3.1 and your timelock contracts are vulnerable to unauthorized executor role manipulation.
Upgrade to @openzeppelin/contracts version 4.3.1 or later to patch the vulnerability. Review your contract configurations to ensure the executor role is not set to 'open'.
While no confirmed active exploitation campaigns are publicly known, the vulnerability's severity and ease of exploitation make it a high-risk target.
Refer to the official OpenZeppelin security advisory: https://blog.openzeppelin.com/security-advisory-timelock-vulnerabilities/
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।