CVE-2021-29369
📋 TL;DR
CVE-2021-29369 is a critical OS command injection vulnerability in the @rkesters/gnuplot Node.js package. It allows attackers to execute arbitrary shell commands by injecting metacharacters into Gnuplot commands. This affects any Node.js application using vulnerable versions of this package.
💻 Affected Systems
- @rkesters/gnuplot Node.js package
📦 What is this software?
Gnuplot by Gnuplot Project
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with remote code execution, allowing attackers to install malware, exfiltrate data, or pivot to other systems.
Likely Case
Remote code execution within the application context, potentially leading to data theft, service disruption, or lateral movement.
If Mitigated
Limited impact if proper input validation and sandboxing are implemented, potentially only causing application crashes.
🎯 Exploit Status
Exploitation is straightforward - attackers can inject shell metacharacters into gnuplot commands.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.1.0 and later
Vendor Advisory: https://github.com/rkesters/gnuplot/commit/23671d4d3d28570fb19a936a6328bfac742410de
Restart Required: Yes
Instructions:
1. Update package.json to require '@rkesters/gnuplot': '>=0.1.0'. 2. Run 'npm update @rkesters/gnuplot'. 3. Restart your Node.js application.
🔧 Temporary Workarounds
Input Validation and Sanitization
allImplement strict input validation to reject any input containing shell metacharacters before passing to gnuplot commands.
// JavaScript example: if (/[;&|`$()\[\]{}<>]/g.test(userInput)) { rejectInput(); }
Sandbox Execution
allRun the gnuplot process in a restricted environment with limited permissions.
// Use child_process with restricted environment variables and user permissions
🧯 If You Can't Patch
- Implement strict input validation to reject shell metacharacters in all user-controlled inputs passed to gnuplot.
- Run the Node.js application with minimal privileges and in a containerized/sandboxed environment.
🔍 How to Verify
Check if Vulnerable:
Check package.json or run 'npm list @rkesters/gnuplot' to see if version is below 0.1.0.Check Version:
npm list @rkesters/gnuplotVerify Fix Applied:
Confirm version is 0.1.0 or higher with 'npm list @rkesters/gnuplot' and test that shell metacharacters in gnuplot commands no longer execute.📡 Detection & Monitoring
Log Indicators:
- Unexpected shell commands in application logs
- Gnuplot process spawning unexpected child processes
- Application crashes with command execution errors
Network Indicators:
- Unexpected outbound connections from the Node.js process
- Data exfiltration patterns
SIEM Query:
process.name: 'node' AND (process.args: '*gnuplot*' AND process.args: '*[;&|`$()]*')