[thi.ng/egf] Potential arbitrary code execution of `#gpg`-tagged property values
Description
Arbitrary command injection in @thi.ng/egf #gpg-tagged properties when decrypt: true; patched in v0.4.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Arbitrary command injection in @thi.ng/egf `#gpg`-tagged properties when `decrypt: true`; patched in v0.4.0.
Vulnerability
CVE-2021-21412 affects the @thi.ng/egf npm package, specifically the built-in #gpg tag parser. When the decrypt: true option is enabled, the parser passes the encrypted property value directly into a shell command via execSync, using echo and piping to gpg --decrypt. If the encrypted value contains backtick characters (` ``), an attacker can inject arbitrary shell commands, leading to remote code execution during parsing [1][4].
Exploitation
The attack surface is limited to scenarios where the application parses untrusted EGF files or strings and has the decrypt: true option set (which is not the default). An attacker must be able to supply a crafted EGF input containing a #gpg-tagged property with embedded backticks. No additional authentication is required beyond the ability to provide such input [4].
Impact
Successful exploitation allows the attacker to execute arbitrary operating system commands with the privileges of the Node.js process. This could lead to full compromise of the application, data exfiltration, or lateral movement within the hosting environment [1][4].
Mitigation
The package maintainers released version 0.4.0, which replaces the vulnerable execSync call with execFileSync, eliminating shell interpretation of the input [3]. Additionally, the default behavior does not attempt decryption unless explicitly enabled. As a workaround, users can manually inspect #gpg-tagged values for backticks and remove or reject them before parsing [4]. Users should upgrade to v0.4.0 or later to fully remediate the issue.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@thi.ng/egfnpm | < 0.4.0 | 0.4.0 |
Affected products
2Patches
188f61656e5f5Merge pull request from GHSA-rj44-gpjc-29r7
1 file changed · +4 −2
packages/egf/src/tags.ts+4 −2 modified@@ -1,7 +1,7 @@ import type { IObjectOf } from "@thi.ng/api"; import { maybeParseFloat, maybeParseInt, unescape } from "@thi.ng/strings"; import { base64Decode } from "@thi.ng/transducers-binary"; -import { execSync } from "child_process"; +import { execFileSync } from "child_process"; import { readFileSync } from "fs"; import { resolve as resolvePath } from "path"; import { IS_NODE, NODE_ONLY, TagParser } from "./api"; @@ -24,7 +24,9 @@ export const BUILTINS: IObjectOf<TagParser> = { gpg: IS_NODE ? (_, body, ctx) => (ctx.opts.decrypt - ? execSync(`echo "${body}" | gpg --decrypt`).toString() + ? execFileSync("gpg", ["--decrypt"], { + input: body, + }).toString() : body ).trim() : NODE_ONLY,
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-rj44-gpjc-29r7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-21412ghsaADVISORY
- github.com/thi-ng/umbrella/blob/develop/packages/egf/CHANGELOG.mdghsax_refsource_MISCWEB
- github.com/thi-ng/umbrella/commit/88f61656e5f5cfba960013b8133186389efaf243ghsax_refsource_MISCWEB
- github.com/thi-ng/umbrella/security/advisories/GHSA-rj44-gpjc-29r7ghsax_refsource_CONFIRMWEB
- www.npmjs.com/package/%40thi.ng/egfmitrex_refsource_MISC
- www.npmjs.com/package/@thi.ng/egfghsaWEB
News mentions
0No linked articles in our index yet.