GHSA-9wxg-vf3r-56hc: OpenZeppelin Contracts Wizard: Line terminators in info.securityContact / info.license can inject lines into generated source

June 19, 2026

The Contracts Wizard generators printed info.securityContact and info.license verbatim into a single-line comment of the generated Solidity, Cairo, Stellar/Soroban, and Stylus source without rejecting line terminators. A newline (\n or \r\n) in either field ends the comment, so the text after it is emitted as source rather than remaining inside the comment — allowing arbitrary declarations to be injected into the generated contract.

References

github.com/OpenZeppelin/contracts-wizard/security/advisories/GHSA-9wxg-vf3r-56hc
github.com/advisories/GHSA-9wxg-vf3r-56hc

Code Behaviors & Features

Detect and mitigate GHSA-9wxg-vf3r-56hc with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →