PT-2020-19968 · Npm · Pdf-Image

Published

2020-02-28

Updated

2021-05-10

CVE-2020-8132

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions pdf-image versions <= 2.0.0

Description The issue is related to a lack of input validation in the pdf-image npm package, which may allow an attacker to run arbitrary code if the PDF file path is constructed based on untrusted user input.

Recommendations For versions <= 2.0.0, update to a version greater than 2.0.0 to resolve the issue. As a temporary workaround, consider validating and sanitizing all user input used to construct PDF file paths to minimize the risk of exploitation. Restrict access to the pdf-image package to minimize the risk of exploitation until a patch is applied.

Exploit

Fix

Code Injection

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-94CWE-20

Related Identifiers

CVE-2020-8132

GHSA-RV7P-MMWQ-X674

Affected Products

Pdf-Image

PT-2020-19968 · Npm · Pdf-Image

CVE-2020-8132

Weakness Enumeration

Related Identifiers

Affected Products

References · 4