CVE-2021-32830 — Command injection in @diez/generation

Description

The `@diez/generation` npm package is a client for Diez. The locateFont method of @diez/generation has a command injection vulnerability. Clients of the @diez/generation library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability. This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input. All versions of this package are vulnerable as of the writing of this CVE.

How to fix CVE-2021-32830

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

—no fix listed

Is CVE-2021-32830 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, <= 10.6.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	LOW3.9	CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-32830
ADVISORYsecuritylab.github.com/advisories/GHSL-2021-061-diez-generation-cmd-injection
PATCHgithub.com/diez/diez
WEBwww.npmjs.com/package/@diez/generation