CVE-2018-3757

Name of the Vulnerable Software and Affected Versions pdf-image versions prior to 2.0.0

Description The issue is related to the lack of neutralization of special elements in input data for the GetInfoCommand function in the pdf-image tool for Node.js. This can be exploited by a remote attacker to execute arbitrary code using a specially crafted request. The vulnerability exists due to an unescaped string parameter, and it is exploitable if the attacker has control over the pdfFilePath variable passed into pdf-image.

Recommendations Update to version 2.0.0 or later. As a temporary workaround, consider restricting access to the pdf-image tool to minimize the risk of exploitation, especially for the pdfFilePath variable. Avoid using unvalidated input for the pdfFilePath variable in the affected API endpoint until the issue is resolved.