CVE-2016-4991

Name of the Vulnerable Software and Affected Versions nodepdf version 1.3.0

Description The issue arises from the input passed to the Pdf() function being shell escaped and then passed to child process.exec() during PDF rendering. However, the shell escape fails to properly encode special characters, such as semicolon and curly braces, which can be exploited to achieve command execution.

Recommendations For nodepdf version 1.3.0, consider disabling the Pdf() function until a patch is available to prevent command execution exploitation. Restrict access to the child process.exec() function to minimize the risk of exploitation. Avoid using special characters, such as semicolon and curly braces, in the input passed to the Pdf() function until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.