CVE-2021-46320: 
JavaScript vulnerability analysis and mitigation

In OpenZeppelin <=v4.4.0, initializer functions that are invoked separate from contract creation (most prominently in minimal proxies) may be reentered if they make an untrusted non-view external call. While initializers are designed to run only once and never be re-executed, an exception implemented to support multiple inheritance made reentrancy possible, breaking the single-execution expectation. The vulnerability was discovered in December 2021 and assigned CVE-2021-46320. The impact is considered minor since upgradeable proxies are commonly initialized together with contract creation, where reentrancy is not feasible (OpenZeppelin Advisory).

The vulnerability affects initializer functions that are called separately from contract creation and make untrusted non-view external calls. An exception mechanism intended to support multiple inheritance inadvertently allowed these initializer functions to be reentered, violating the core security assumption that initializers can only be executed once. The issue affects OpenZeppelin contracts versions >=3.2.0 and <4.4.1. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 HIGH (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) (NVD).

The vulnerability could allow an attacker to reenter and re-execute initialization functions if they contain untrusted external calls, potentially leading to double initialization. However, the real-world impact is considered minor since upgradeable proxies typically perform initialization during contract creation, where reentrancy is not possible (OpenZeppelin Advisory).

The vulnerability has been patched in version 4.4.1 of both @openzeppelin/contracts and @openzeppelin/contracts-upgradeable packages. As a workaround, developers should avoid making untrusted external calls during initialization (OpenZeppelin Advisory).