Versions of gm prior to 1.21.1 are affected by a command injection vulnerability. The vulnerability is triggered when user input is passed into gm.compare(), which fails to sanitize input correctly before calling the graphics magic binary.

Recommendation

Update to version 1.21.1 or later.

References

• aheckmann/gm@5f5c774
• https://www.npmjs.com/advisories/54
• https://nvd.nist.gov/vuln/detail/CVE-2015-7982