GHSA-m6w8-fq7v-ph4m: 
JavaScript vulnerability analysis and mitigation

The GovernorCompatibilityBravo module vulnerability (GHSA-m6w8-fq7v-ph4m) was discovered and disclosed on January 11, 2022, affecting OpenZeppelin contracts versions 4.3.0 to 4.4.2. This moderate severity vulnerability impacts both @openzeppelin/contracts and @openzeppelin/contracts-upgradeable packages (GitHub Advisory).

The vulnerability stems from incorrect ABI encoding in the GovernorCompatibilityBravo module when creating governance proposals using explicit function signatures. For example, when invoking a function foo(uint256) using propose([target], [0], ["foo(uint256)"], ["0x00..01"]), the arguments may be incorrectly encoded. However, the issue does not occur when the function selector is provided as part of the encoded proposal data, such as propose([target], [0], ["0x2fbebd3800..01"]) where 2fbebd38 represents the function selector (GitHub Advisory).

The vulnerability could result in governance proposals executing function calls with incorrect arguments due to bad ABI encoding. However, OpenZeppelin's assessment of on-chain instances found no occurrences of this bug in production. Additionally, proposal creation through Tally or OpenZeppelin Defender was not affected, and the core Governor contract remained uncompromised (GitHub Advisory).

The vulnerability has been patched in version 4.4.2 of both @openzeppelin/contracts and @openzeppelin/contracts-upgradeable packages. As a workaround, users are advised to avoid creating proposals using explicit function signatures. Instead, they should use the propose function without the signatures argument and create proposals using fully ABI-encoded function calls that include the function selector in the calldatas argument (GitHub Advisory).