OpenZeppelin Contracts Wizard: Line terminators in info.securityContact / info.license can inject lines into generated source
📋 Description
Summary
The Contracts Wizard generators printed info.securityContact and info.license verbatim into a single-line comment of the generated Solidity, Cairo, Stellar/Soroban, and Stylus source without rejecting line terminators. A newline (\n or \r\n) in either field ends the comment, so the text after it is emitted as source rather than remaining inside the comment — allowing arbitrary declarations to be injected into the generated contract.
Impact
This only matters when these fields are filled from input other than the user who will use the generated contract. Normal self-service use does not meet that condition:
- Web app, AI assistant, and CLI: the user supplies these fields and uses their own output, so a line break only affects their own contract. (These fields are not URL-derived, so shared links cannot set them.)
- Self-hosted API: same — the end user supplies the options and consumes the result.
The case that matters is an integration that fills these fields from untrusted input — for example, an MCP agent whose tool arguments are derived from content it processed. There, a newline in the value can add lines to output that otherwise looks like normal Wizard source. Impact is integrity-only; there is no execution on any Wizard service.
Patches
Fixed by rejecting line terminators in setInfo — the single code path all surfaces use — so the value can no longer break out of the comment. Upgrade to the patched versions. @openzeppelin/wizard-confidential and @openzeppelin/wizard-uniswap-hooks reuse this setInfo through their @openzeppelin/wizard dependency and receive the fix once that dependency is updated to a patched version.
🎯 Affected products4
- npm/@openzeppelin/wizard:<= 0.10.10
- npm/@openzeppelin/wizard-cairo:<= 3.0.0
- npm/@openzeppelin/wizard-stellar:<= 0.6.1
- npm/@openzeppelin/wizard-stylus:<= 0.3.0