GHSA-rj44-gpjc-29r7
Suggest an improvement- Source
- https://github.com/advisories/GHSA-rj44-gpjc-29r7
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-rj44-gpjc-29r7/GHSA-rj44-gpjc-29r7.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-rj44-gpjc-29r7
- Aliases
- Related
- Published
- 2021-04-06T17:22:41Z
- Modified
- 2026-01-30T01:52:46.429303Z
- Severity
-
- 6.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- [thi.ng/egf] Potential arbitrary code execution of `#gpg`-tagged property values
- Details
-
Impact
Potential for arbitrary code execution in
#gpg-tagged property values (only ifdecrypt: trueoption is enabled)Patches
A fix has already been released as v0.4.0
Workarounds
By default, EGF parse functions do NOT attempt to decrypt values (since GPG is only available in non-browser env).
However, if GPG encrypted values are used/required:
- Perform a regex search for
#gpg-tagged values in the EGF source file/string and check for backtick (`) chars in the encrypted value string - Replace/remove them or skip parsing if present...
References
https://github.com/thi-ng/umbrella/security/advisories/GHSA-rj44-gpjc-29r7#advisory-comment-65261
For more information
If you have any questions or comments about this advisory, please open an issue in the thi.ng/umbrella repo, of which this package is part of.
- Perform a regex search for
- Database specific
{ "cwe_ids": [ "CWE-78" ], "github_reviewed": true, "nvd_published_at": "2021-03-30T18:15:00Z", "severity": "MODERATE", "github_reviewed_at": "2021-03-30T17:40:22Z" }- References
-
- https://github.com/thi-ng/umbrella/security/advisories/GHSA-rj44-gpjc-29r7
- https://nvd.nist.gov/vuln/detail/CVE-2021-21412
- https://github.com/thi-ng/umbrella/commit/88f61656e5f5cfba960013b8133186389efaf243
- https://github.com/thi-ng/umbrella/blob/develop/packages/egf/CHANGELOG.md#040-2021-03-27
- https://www.npmjs.com/package/@thi.ng/egf
Affected packages
npm / @thi.ng/egf
Package
- Name
- @thi.ng/egf
- View open source insights on deps.dev
- Purl
- pkg:npm/%40thi.ng/egf