Listen to this Post
The OpenZeppelin Contracts Wizard is a widely-used interactive tool that generates boilerplate code for secure smart contract development, supporting languages such as Solidity, Cairo, Stellar/Soroban, and Stylus. A critical vulnerability, identified as CVE-2026-48054, was discovered in how the Wizard generates example test files for Hardhat and Foundry.
The root cause lies in the unsanitized interpolation of user-supplied strings—specifically the `opts.name` and `opts.uri` parameters—directly into the generated test source code. The Wizard’s generators for Hardhat (test/test.ts) and Foundry (test/<Name>.t.sol) embed these values without any escaping or validation.
An attacker can craft malicious input containing special characters, such as newline (\n or \r\n) or other delimiters, that breaks out of the intended string literal context. When this input is processed, the malformed string is emitted as part of the generated test file, causing the injected payload to be parsed as executable code rather than remaining as a benign string within the test. The impact is realized when a developer, believing they are using a safe, auto-generated project, runs the standard test commands—npm test or forge test—on their local machine. At that moment, the injected code executes with the same privileges as the test process, potentially leading to arbitrary code execution on the developer’s system.
It is important to note that this vulnerability primarily affects users who download and test a generated project locally. The hosted version of the Wizard at https://wizard.openzeppelin.com` is not vulnerable as it has been redeployed with the fix. Additionally, the vulnerable functions (zipHardhat,zipFoundry) are not part of the package's documented public API, meaning that standard usage of the `@openzeppelin/wizard` package is unaffected. The risk is confined to developers or integrations that explicitly call these internal functions with externally controlled strings.test/test.ts
<h2 style="color: blue;">DailyCVE Form</h2>
Platform: @openzeppelin/wizard
Version: < 0.10.9
Vulnerability: Code Injection
Severity: High
date: 2026-06-11
<h2 style="color: blue;">Prediction: Already Patched</h2>
<h2 style="color: blue;">What Undercode Say: Analytics & Code</h2>
The vulnerability stems from a failure to sanitize inputs before embedding them in generated test files. The following code snippets illustrate the vulnerable patterns:
<h2 style="color: blue;">Vulnerable Hardhat Test Generation ():</h2>
// The 'opts.name' and 'opts.uri' are interpolated directly.
// A payload like "'; maliciousCode(); //" could break out.
const testContent =</code>
describe("${opts.name}", function() {
it("Should deploy", async function() {
// ...
});
});
<code>;
<h2 style="color: blue;">Vulnerable Foundry Test Generation (test/ An attacker could supply a value for `opts.name` such as: This would result in generated code where the injected `console.log` is executed during the test run. To exploit this vulnerability, an attacker needs to identify an integration or service that uses the `zipHardhat` or `zipFoundry` functions and allows external control over the `opts.name` and `opts.uri` parameters. The attacker crafts a malicious payload containing code that, when executed, could steal sensitive information, install backdoors, or perform other harmful actions on the developer’s machine. A developer, lured into downloading and testing a project generated with this payload, would then inadvertently execute the attacker’s code. The primary protection is to upgrade to `@openzeppelin/[email protected]` or later. This patched version implements proper input sanitization, which prevents the injection of arbitrary code. For users of the hosted web application, no action is required as it has already been updated. Integrators who call the `zipHardhat` or `zipFoundry` functions must ensure they are using the patched version and should also validate and sanitize any external input before passing it to these functions. The impact of this vulnerability is severe for affected users. It allows an unauthenticated attacker to achieve arbitrary code execution on a developer’s machine. This could lead to a complete compromise of the developer’s environment, including theft of source code, credentials, and other sensitive data. The CVSS score assigned to this vulnerability is 8.8 (High), reflecting the significant risk it poses. Join Undercode Academy for Verified Certifications Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems: Reported By: github.com
// The 'opts.name' is used unsafely in the contract name and test logic.
contract ${opts.name}Test is Test {
// ...
}
Example Malicious Payload:
"; console.log('Injected!'); //
Exploit
Protection
Impact
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
🚀 Request a Custom Project:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by ThousandsSources:
Extra Source Hub:
Undercode🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow DailyCVE & Stay Tuned:
