MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTVnd2gtZzc5ai12aDRx

Critical EPSS: 0.0834% (0.91852 Percentile) EPSS:

Permalink JSON

Command Injection in pdf-image

Affected Packages	Affected Versions	Fixed Versions
npm:pdf-image	< 2.0.0	2.0.0
27 Dependent packages 203 Dependent repositories 44,248 Downloads last month Affected Version Ranges All affected versions 0.0.1, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.1.0 All unaffected versions 2.0.0

Versions of pdf-image before 2.0.0 are vulnerable to command injection. This vulnerability is exploitable if the attacker has control over the pdfFilePath variable passed into pdf-image.

Recommendation

Update to version 2.0.0 or later.

References:

https://hackerone.com/reports/340208
https://www.npmjs.com/advisories/670
https://nvd.nist.gov/vuln/detail/CVE-2018-3757
https://github.com/roest01/node-pdf-image/commit/54679496a89738443917608c2bbe2f6e5dd20e83
https://github.com/advisories/GHSA-5gwh-g79j-vh4q

Identifiers

GHSA-5gwh-g79j-vh4q

CVE-2018-3757

Risk

Severity

Critical

EPSS

EPSS Percentage: 0.0834

EPSS Percentile: 0.91852

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/roest01/node-pdf-image

Date and time

Published

almost 5 years ago

Updated

over 2 years ago

API

JSON

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Advisories