diff --git a/CHANGELOG.md b/CHANGELOG.md
index 94274434..7ee846af 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,7 @@
+## v0.8.42
+
+- Added test for Multicall + ERC2771 malicious calldata
+
 ## v0.8.41
 
 - Add `.altimist` TLD
diff --git a/package.json b/package.json
index 8efc9364..678b0af4 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "uns",
-  "version": "0.8.41",
+  "version": "0.8.42",
   "description": "UNS contracts and tools",
   "repository": "https://github.com/unstoppabledomains/uns.git",
   "main": "./dist/index.js",
diff --git a/test/UNSRegistry.metatx.test.ts b/test/UNSRegistry.metatx.test.ts
index fc186d58..4be489de 100644
--- a/test/UNSRegistry.metatx.test.ts
+++ b/test/UNSRegistry.metatx.test.ts
@@ -532,5 +532,31 @@ describe('UNSRegistry (metatx)', () => {
 
       expect(await unsRegistry.ownerOf(tokenId)).to.be.equal(receiver.address);
     });
+
+    it('should not allow passing malicious calldata to meta tx multicall', async () => {
+      const labels = ['res_label_m1x', 'crypto'];
+      const tokenId = await mintDomain(unsRegistry, owner, labels);
+
+      expect(await unsRegistry.ownerOf(tokenId)).to.be.equal(owner.address);
+
+      const { req, signature } = await buildExecuteParams(
+        'multicall(bytes[])',
+        [
+          [
+            ethers.utils.solidityPack(['bytes', 'address', 'uint256'], [
+              unsRegistry.interface.encodeFunctionData('setOwner', [nonOwner.address, tokenId]),
+              owner.address,
+              tokenId,
+            ]),
+          ],
+        ],
+        nonOwner,
+        tokenId,
+      );
+
+      await expect(
+        unsRegistry.connect(nonOwner).execute(req, signature),
+      ).to.be.revertedWith('Registry: SENDER_IS_NOT_APPROVED_OR_OWNER');
+    });
   });
 });