Pdf-Image Project: >> Pdf-Image >> 2.0.0 Security Vulnerabilities
pdf-image (npm package) through version 2.0.0 allows OS command injection via the pdfFilePath parameter. The constructGetInfoCommand and constructConvertCommandForPage functions use util.format() to interpolate user-controlled file paths into shell command strings that are executed via child_process.exec()
CVSS Score
9.8
EPSS Score
0.004
Published
2026-03-25
Lack of input validation in pdf-image npm package version <= 2.0.0 may allow an attacker to run arbitrary code if PDF file path is constructed based on untrusted user input.
CVSS Score
9.8
EPSS Score
0.005
Published
2020-02-28
Command injection exists in pdf-image v2.0.0 due to an unescaped string parameter.
CVSS Score
9.8
EPSS Score
0.08
Published
2018-06-01