CVE-2021-32830
Description
The @diez/generation npm package's locateFont method has a command injection vulnerability that can lead to remote code execution when called with untrusted input.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The @diez/generation npm package's locateFont method has a command injection vulnerability that can lead to remote code execution when called with untrusted input.
Vulnerability
The @diez/generation npm package (all versions as of the CVE publication) contains a command injection vulnerability in the locateFont method [2][3]. The method does not properly sanitize user-supplied input before passing it to a shell command, allowing an attacker to inject arbitrary commands. The vulnerability is present in the locateFont function, which is intended to locate a font file on the system.
Exploitation
An attacker can exploit this vulnerability by providing untrusted input to the locateFont method [3]. The proof-of-concept demonstrates that passing a string containing backtick-enclosed commands (e.g., foo'touch /tmp/exploit ') results in command execution. The exploit works on macOS or on Unix systems if the isMacOS function is patched in the local installation (found in node_modules/@diez/cli-core/lib/utils.js). No authentication or special privileges are required; the attacker only needs to control the input to the vulnerable method.
Impact
Successful exploitation allows an attacker to execute arbitrary commands on the system running the vulnerable code [2][3]. This can lead to remote code execution (RCE) if the library is used in a server-side context with untrusted input. The attacker gains the ability to run shell commands with the privileges of the calling process, potentially leading to full system compromise.
Mitigation
As of the disclosure timeline (July 2021), no fix has been released for this vulnerability [3]. All versions of @diez/generation are affected. Users should avoid passing untrusted input to the locateFont method and consider not using the package until a patched version is available. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@diez/generationnpm | <= 10.6.0 | — |
Affected products
2- diez/diezv5Range: all
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The `locateFont` method does not sanitize shell metacharacters in its first argument, allowing an attacker to inject arbitrary OS commands."
Attack vector
An attacker can supply a malicious string to the `locateFont` method's first argument. The method fails to neutralize shell metacharacters, so a payload such as `foo'\`touch /tmp/exploit\`'` causes the embedded command to be executed by the OS shell [ref_id=1]. The PoC works on macOS or on Unix if the `isMacOS` function is patched locally [ref_id=1]. If a client of the library passes untrusted input to `locateFont`, this leads to remote code execution [CWE-78] [ref_id=1].
Affected code
The `locateFont` method in the `@diez/generation` npm package is vulnerable. The advisory does not specify the exact file path within the package, but notes that the PoC relies on the `isMacOS` function found in `node_modules/@diez/cli-core/lib/utils.js` [ref_id=1].
What the fix does
No patch or fix has been published by the maintainers; the advisory notes that the disclosure deadline expired without a resolution [ref_id=1]. The recommended remediation is to avoid passing untrusted input to the `locateFont` method, or to sanitize the input by escaping or rejecting shell metacharacters before calling the method [CWE-78].
Preconditions
- inputThe attacker must be able to supply the first argument to the locateFont method (e.g., via user-controlled input passed by a client of the library).
- configThe vulnerable code path requires the isMacOS function to return true (macOS) or the function must be patched to return true on Unix.
Reproduction
1. Install the package: `npm install @diez/generation` 2. Create a file with: ```js const generation = require("@diez/generation"); generation.locateFont("foo'`touch /tmp/exploit` '", {}); ``` 3. Run the file. A file named `/tmp/exploit` will be created, confirming command execution [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-8c3f-x5f9-6h62ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-32830ghsaADVISORY
- securitylab.github.com/advisories/GHSL-2021-061-diez-generation-cmd-injectionghsaADVISORY
- securitylab.github.com/advisories/GHSL-2021-061-diez-generation-cmd-injection/mitrex_refsource_CONFIRM
- www.npmjs.com/package/%40diez/generationmitrex_refsource_MISC
- www.npmjs.com/package/@diez/generationghsaWEB
News mentions
0No linked articles in our index yet.