I believe the vulnerability does not affect Ethereum, since adding null-byte padding to the front of anything signed as RLP-data or as an EIP-191 payload, mangles the meaning of its representation.
$ npm i @openzeppelin/upgrades
...
npm notice created a lockfile as package-lock.json. You should commit this file.
npm WARN upgrades@1.0.0 No description
npm WARN upgrades@1.0.0 No repository field.
+ @openzeppelin/upgrades@2.8.0
added 415 packages from 321 contributors and audited 415 packages in 32.604s
6 packages are looking for funding
run `npm fund` for details
found 564 vulnerabilities (1 low, 563 high)
run `npm audit fix` to fix them, or `npm audit` for details
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Signature Malleability │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ elliptic │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=6.5.3 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @openzeppelin/upgrades │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ @openzeppelin/upgrades > ethers > elliptic │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1547 │
└───────────────┴──────────────────────────────────────────────────────────────┘
npm audit reports High vulnerability in @openzeppelin/upgrades@2.8.0 for dependency
elliptic
NPM Advisory: https://npmjs.com/advisories/1547
From https://github.com/ethers-io/ethers.js/issues/985
Reported in the Community Forum: https://forum.openzeppelin.com/t/vulnerabilities-reported-when-installing-openzeppelin-upgrades-via-npm/3614