CVE-2021-21412

Name of the Vulnerable Software and Affected Versions @thi.ng/egf versions prior to 0.4.0

Description The issue concerns arbitrary code execution in #gpg-tagged property values when the decrypt: true option is enabled. This is relevant only when GPG encrypted values are used or required, as the EGF parse functions do not attempt to decrypt values by default due to GPG's unavailability in browser environments.

Recommendations For versions prior to 0.4.0, update to version 0.4.0 or later to resolve the issue. As a temporary workaround, consider performing a regex search for #gpg-tagged values in the EGF source file/string and check for backtick (`) chars in the encrypted value string, then replace or remove them, or skip parsing if present.