Arbitrary Code Execution Affecting dawnsparks-node-tesseract package, versions <0.4.1


Severity

Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of concept
EPSS
1.66% (89th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Arbitrary Code Execution vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-JS-DAWNSPARKSNODETESSERACT-5458970
  • published25 Apr 2023
  • disclosed24 Apr 2023
  • creditUnknown

Introduced: 24 Apr 2023

CVE-2023-29566  (opens in a new tab)
CWE-94  (opens in a new tab)

How to fix?

Upgrade dawnsparks-node-tesseract to version 0.4.1 or higher.

Overview

dawnsparks-node-tesseract is an A fork of a simple wrapper for the Tesseract OCR package

Affected versions of this package are vulnerable to Arbitrary Code Execution via the child_process function due to improper input sanitization.

To exploit this vulnerability, a user must submit an image file to a Node.js application that is using "dawnsparks-node-tesseract" as a dependency to perform optical character recognition. If the user's submitted image filename contains shell commands, those will be evaluated, allowing the user to execute arbitrary commands on the application's server.

PoC

var PUT = require('dawnsparks-node-tesseract');
var user_image_filename = "; touch success;#";
try {
    new PUT.process(user_image_filename,{},function(){});
} catch (e) {
    console.log(e);
}

References

CVSS Scores

version 3.1