The pdf-image library for Node.js contains a critical command injection vulnerability that allows unauthenticated attackers to execute arbitrary OS commands on the host server.

This is an OS Command Injection vulnerability triggered via the pdfFilePath parameter. The functions constructGetInfoCommand and constructConvertCommandForPage use util.format() to build shell strings that are passed directly to child_process.exec() without sanitization.

An attacker can exploit this flaw to gain a shell on the application server. This leads to full system compromise, potential lateral movement within the network, and unauthorized access to application databases or environment variables. The CVSS score of 9.8 reflects the ease of exploitation and the total impact on confidentiality, integrity, and availability.

Immediate Action: Developers should immediately stop using vulnerable versions of the pdf-image package and update to a patched version if available, or migrate to a more secure alternative.

Proactive Monitoring: Implement runtime application self-protection (RASP) or monitor system logs for suspicious child processes spawned by Node.js applications.

Compensating Controls: Use input validation to strictly enforce file path patterns and ensure the application runs with the least privilege necessary to minimize the impact of a command injection.

Public Exploit Available: No

The use of child_process.exec() with unsanitized input is a high-risk practice. Organizations using this package in their production applications must audit their code immediately. If a patch is not provided by the maintainer, the library should be replaced with one that uses safer execution methods like execFile.