Dobby153

**Name of the Vulnerable Software and Affected Versions** exiftool-vendored versions prior to 35.19.0 **Description** Certain strings provided by the caller are interpolated into ExifTool arguments without rejecting line delimiters. A newline or carriage return within these strings can split a single intended argument into multiple arguments, leading to argument injection. This occurs because the software starts ExifTool in a mode where arguments are read from stdin one per line. This issue allows an attacker to force ExifTool to read files accessible to the process or write output to attacker-chosen file system paths. The issue specifically affects tag-name arguments (tag keys), filename or path arguments, and the `imageHashType` option. Affected functions include `ExifTool#write()`, `ExifTool#read()`, `ExifTool#readRaw()`, `ExifTool#deleteAllTags()`, `ExifTool#rewriteAllTags()`, `ExifTool#extractBinaryTag()`, `ExifTool#extractBinaryTagToBuffer()`, `ExifTool#extractJpgFromRaw()`, `ExifTool#extractPreview()`, and `ExifTool#extractThumbnail()`. **Recommendations** Update to version 35.19.0 or later. As a temporary workaround, reject untrusted strings containing control characters before passing them to the affected APIs, specifically for tag names, `retain` or `numericTags` entries, binary-extraction tag names, filenames, and the `imageHashType` option.