Skip to content

[thi.ng/egf] Potential arbitrary code execution of `#gpg`-tagged property values

Moderate
postspectacular published GHSA-rj44-gpjc-29r7 Mar 30, 2021

Package

npm @thi.ng/egf (npm)

Affected versions

<=0.3.21

Patched versions

0.4.0

Description

Impact

Potential for arbitrary code execution in #gpg-tagged property values (only if decrypt: true option is enabled)

Patches

A fix has already been released as v0.4.0

Workarounds

By default, EGF parse functions do NOT attempt to decrypt values (since GPG is only available in non-browser env).

However, if GPG encrypted values are used/required:

  1. Perform a regex search for #gpg-tagged values in the EGF source file/string and check for backtick (`) chars in the encrypted value string
  2. Replace/remove them or skip parsing if present...

References

https://github.com/thi-ng/umbrella/security/advisories/GHSA-rj44-gpjc-29r7#advisory-comment-65261

For more information

If you have any questions or comments about this advisory, please open an issue in the thi.ng/umbrella repo, of which this package is part of.

Severity

Moderate

CVE ID

CVE-2021-21412

Weaknesses

Credits