Description

im-metadata through 3.0.1 allows remote attackers to execute arbitrary commands via the "exec" argument. It is possible to inject arbitrary commands as part of the metadata options which is given to the "exec" function.

Remediation

References

https://github.com/Turistforeningen/node-im-metadata/commit/ea15dddbe0f65694bfde36b78dd488e90f246639

https://snyk.io/vuln/SNYK-JS-IMMETADATA-544184

Related Vulnerabilities

CVE-2022-26183 Vulnerability in npm package pnpm

CVE-2022-35131 Vulnerability in npm package joplin

CVE-2023-32081 Vulnerability in maven package io.vertx:vertx-stomp

CVE-2021-4260 Vulnerability in npm package oils

CVE-2022-29257 Vulnerability in npm package electron

Severity

Critical

Classification

CWE-78 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Patch Third Party Advisory Exploit