Nostalgic Perogi Monogramming
Severity: low

Command Injection

ascii-art

Overview

Versions of ascii-art before 1.4.4 are vulnerable to command injection. This is exploitable when user input is passed into the argument of the ascii-art preview command.

Example Proof of concept: ascii-art preview 'doom"; touch /tmp/malicious; echo "'

Given that the input is passed on the command line and none of the api methods are vulnerable to this, the likely exploitation vector is when the ascii-art comment is being called programmatically using something like execFile.

Remediation

Update to version 1.4.4 or later.

Advisory timeline

  1. Created

    2018-11-07T21:04:14.949Z
  2. Updated

    2018-11-07T21:10:04.846Z