Owl4444

**Name of the Vulnerable Software and Affected Versions** exiftool versions prior to 13.50 **Description** An OS command injection issue exists in the PNG File Parser component of exiftool on macOS. The flaw is located in the `SetMacOSTags()` function within the `lib/Image/ExifTool/MacOS.pm` file. A remote attacker can achieve arbitrary code execution with user privileges by embedding shell commands in the EXIF `DateTimeOriginal` metadata of a malicious image. The attack is triggered when the unsanitized `$val` parameter is passed to a `system()` call during the processing of the `DateTimeOriginal` tag, specifically when using the `-n` (raw output mode) flag and the `-tagsFromFile` feature to copy data to the `FileCreateDate` tag. This process bypasses the `PrintConvInv` filter validation, allowing the `/usr/bin/setfile` command to execute the injected payload. **Recommendations** Update exiftool to version 13.50 or later. As a temporary workaround, avoid using the `-n` flag and the `-tagsFromFile` feature when processing images from untrusted sources to prevent the vulnerable code path from being triggered.