Name of the Vulnerable Software and Affected Versions:

Astropy version 5.3.2

Description:

The issue is related to remote code execution due to improper input validation in the `TranformGraph().to dot graph` function. A malicious user can provide a command or a script file as a value to the `savelayout` argument, which will be placed as the first value in a list of arguments passed to `subprocess.Popen`. Although an error will be raised, the command or script will be executed successfully.

Recommendations:

For version 5.3.2, update to version 5.3.3 to fix the issue. As a temporary workaround, consider restricting the use of the `TranformGraph().to dot graph` function or limiting access to the `savelayout` argument to prevent exploitation.