Vulnerability	Vulnerable Version
H Arbitrary Command Injection The `codem-transcode` package supports a feature (off by default) to interact with a local `ffprobe`. When enabled, POST requests to `/probe` trigger the execution of the local `ffprobe` binary, with the provided parameters. This execution is done using `exec`, allowing piped requests, and therefore enabling remote command execution. Newer versions use `execFile` instead, preventing such injection (though still giving attackers to whatever functionality `ffprobe` supports, and any weaknesses in it). Note that, by default, the package only listens for such requests from the local network interface, greatly reducing the likelihood of exploitation. How to fix Arbitrary Command Injection? Either turn off the `ffprobe` functionality or upgrade to (at least) version `0.5.0`, which address this issue by using `execFile` instead of `exec`.	<0.5.0

Arbitrary Command Injection

The codem-transcode package supports a feature (off by default) to interact with a local ffprobe. When enabled, POST requests to /probe trigger the execution of the local ffprobe binary, with the provided parameters.

This execution is done using exec, allowing piped requests, and therefore enabling remote command execution. Newer versions use execFile instead, preventing such injection (though still giving attackers to whatever functionality ffprobe supports, and any weaknesses in it).

Note that, by default, the package only listens for such requests from the local network interface, greatly reducing the likelihood of exploitation.

How to fix Arbitrary Command Injection?

Either turn off the ffprobe functionality or upgrade to (at least) version 0.5.0, which address this issue by using execFile instead of exec.

<0.5.0

Go back to all versions of this package