CVE-2022-39390: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

November 8, 2022

Octocat.js is a library used to render a set of options into an SVG. Versions prior to 1.2 are subject to JavaScript injection via user provided URLs. Users can include their own images for accessories via provided URLs. These URLs are not validated and can result in execution of injected code. This vulnerability was fixed in version 1.2 of octocat.js. As a workaround, writing an image to disk then using that image in an image element in HTML mitigates the risk.

References

github.com/advisories/GHSA-r4jg-5v89-9v62
github.com/octocademy/octocat.js/security/advisories/GHSA-r4jg-5v89-9v62

Code Behaviors & Features

Detect and mitigate CVE-2022-39390 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →