A critical command injection vulnerability in the node-tesseract-ocr library enables attackers to execute arbitrary system commands by providing malicious file paths to the OCR processing function.

The recognize() function in src/index.js is vulnerable to OS Command Injection. It improperly concatenates user-controlled file path parameters into a shell command string which is then executed via child_process.exec() without sanitization.

Successful exploitation allows an unauthenticated attacker to execute arbitrary code with the privileges of the Node.js process. This can result in complete server takeover, data exfiltration, and the installation of persistent backdoors. The CVSS score of 9.8 indicates a critical risk to any application relying on this library for OCR tasks.

Immediate Action: Update the node-tesseract-ocr dependency to a version higher than 2.2.1. If no update is available, sanitize all inputs to the recognize() function to remove shell metacharacters.

Proactive Monitoring: Monitor for unexpected shell execution or outbound network connections from servers performing OCR processing.

Compensating Controls: Run the Node.js application within a containerized environment with restricted system call capabilities (e.g., using Seccomp or AppArmor) to limit the damage of a command injection.

Public Exploit Available: No

This vulnerability highlights the danger of shell interpolation. Immediate remediation is required for any application that processes user-uploaded files via this OCR wrapper. Developers should prioritize upgrading the package or implementing rigorous input sanitization to prevent command execution.