Advisories for Npm/@Openzeppelin/Wizard package

2026

OpenZeppelin Contracts Wizard: Line terminators in info.securityContact / info.license can inject lines into generated source

The Contracts Wizard generators printed info.securityContact and info.license verbatim into a single-line comment of the generated Solidity, Cairo, Stellar/Soroban, and Stylus source without rejecting line terminators. A newline (\n or \r\n) in either field ends the comment, so the text after it is emitted as source rather than remaining inside the comment — allowing arbitrary declarations to be injected into the generated contract.

OpenZeppelin Contracts Wizard has Code Injection in Generated Hardhat and Foundry Tests via Unsanitized opts.name / opts.uri

The OpenZeppelin Contracts Wizard generated Hardhat (test/test.ts) and Foundry (test/<Name>.t.sol) example test files that interpolated user-supplied strings (opts.name, opts.uri) into the test source without escaping. A crafted input could produce a generated test file in which the input string broke out of its surrounding literal and was parsed as code, executing when a developer ran npm test or forge test on the downloaded project.