extra-ffmpeg@4.0.6 vulnerabilities

Decode, encode, transcode, mux, demux, stream, filter, and play media through machine (via "ffmpeg").

Direct Vulnerabilities

Known vulnerabilities in the extra-ffmpeg package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • H
Command Injection

extra-ffmpeg is a Decode, encode, transcode, mux, demux, stream, filter, and play media through machine (via "ffmpeg").

Affected versions of this package are vulnerable to Command Injection. It is possible to inject arbitrary commands due to insecure command formatting. User input inserted as part of the os parameter is passed to the child_process.exec function without any check.

PoC

const ffmpeg = require('extra-ffmpeg');
ffmpeg.sync([{y: true}, {i: '`touch HACKED`'}, {acodec: 'copy', o: 'aud.mp3'}]);

How to fix Command Injection?

A fix was pushed into the master branch but not yet published.

*