js · @openzeppelin/wizardCritical
@openzeppelin/wizard: Code injection in generated test files via unescaped strings
The OpenZeppelin Contracts Wizard generated example test files that interpolated user-supplied strings without escaping, allowing code injection.
What changed
The OpenZeppelin Contracts Wizard generated example test files that interpolated user-supplied strings without escaping, allowing code injection.
Who it affects
Users of the hosted Wizard (no action needed), users of @openzeppelin/wizard via public API (not affected), and callers of zipHardhat/zipFoundry who forward externally-controlled strings into opts.name/opts.uri (must upgrade).
What to do today
Upgrade @openzeppelin/wizard to version 0.10.9 if you use zipHardhat or zipFoundry with untrusted input.
The trail
Collected→
Audited→
Written→
Published