CVE-2022-21165

Name of the Vulnerable Software and Affected Versions font-converter versions all

Description The issue is related to Arbitrary Command Injection due to missing sanitization of input that potentially flows into the child process.exec() function. This affects a FontForge wrapper used for conversion between different font formats, including TTF, WOFF, and OTF.

Recommendations For all versions, consider disabling the use of the child process.exec() function until a patch is available. Restrict input to prevent potential command injection. Avoid using unsanitized input in the font-converter package to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.