GHSA-9wxg-vf3r-56hcLowCVSS 3.3Disclosed before NVD

OpenZeppelin Contracts Wizard: Line terminators in info.securityContact / info.license can inject lines into generated source

Published
June 19, 2026
Last Modified
June 19, 2026

📋 Description

Summary

The Contracts Wizard generators printed info.securityContact and info.license verbatim into a single-line comment of the generated Solidity, Cairo, Stellar/Soroban, and Stylus source without rejecting line terminators. A newline (\n or \r\n) in either field ends the comment, so the text after it is emitted as source rather than remaining inside the comment — allowing arbitrary declarations to be injected into the generated contract.

Impact

This only matters when these fields are filled from input other than the user who will use the generated contract. Normal self-service use does not meet that condition:

  • Web app, AI assistant, and CLI: the user supplies these fields and uses their own output, so a line break only affects their own contract. (These fields are not URL-derived, so shared links cannot set them.)
  • Self-hosted API: same — the end user supplies the options and consumes the result.

The case that matters is an integration that fills these fields from untrusted input — for example, an MCP agent whose tool arguments are derived from content it processed. There, a newline in the value can add lines to output that otherwise looks like normal Wizard source. Impact is integrity-only; there is no execution on any Wizard service.

Patches

Fixed by rejecting line terminators in setInfo — the single code path all surfaces use — so the value can no longer break out of the comment. Upgrade to the patched versions. @openzeppelin/wizard-confidential and @openzeppelin/wizard-uniswap-hooks reuse this setInfo through their @openzeppelin/wizard dependency and receive the fix once that dependency is updated to a patched version.

🎯 Affected products4

  • npm/@openzeppelin/wizard:<= 0.10.10
  • npm/@openzeppelin/wizard-cairo:<= 3.0.0
  • npm/@openzeppelin/wizard-stellar:<= 0.6.1
  • npm/@openzeppelin/wizard-stylus:<= 0.3.0

🔗 References (2)