Headline
CVE-2023-26155: Potential command injection vulnerability in node-qpdf · Issue #23 · nrhirani/node-qpdf
All versions of the package node-qpdf are vulnerable to Command Injection such that the package-exported method encrypt() fails to sanitize its parameter input, which later flows into a sensitive command execution API. As a result, attackers may inject malicious commands once they can specify the input pdf file path.
Hi,
We would like to report a potential security vulnerability.
The bug is introduced because the package-exported method encrypt() fails to sanitize its parameter input, which later flows into a sensitive command execution API. As a result, attackers may inject malicious commands once they can specify the input pdf file path.
Here is the proof of concept.
var qpdf = require('node-qpdf');
var options = {
keyLength: 128,
password: 'YOUR_PASSWORD_TO_ENCRYPT'
}
qpdf.encrypt('test.pdf ||touch rce||', options); // a file named rce will be createdRelated news
All versions of the package node-qpdf are vulnerable to Command Injection such that the package-exported method encrypt() fails to sanitize its parameter input, which later flows into a sensitive command execution API. As a result, attackers may inject malicious commands once they can specify the input pdf file path.