CVE-2023-26155

Name of the Vulnerable Software and Affected Versions node-qpdf versions all

Description The issue arises from the encrypt() method failing to sanitize its parameter input, which later flows into a sensitive command execution API. This allows attackers to inject malicious commands once they can specify the input pdf file path.

Recommendations For all versions, consider disabling the encrypt() function until a patch is available to prevent command injection attacks. Restrict access to sensitive command execution APIs to minimize the risk of exploitation. Avoid using the encrypt() method with untrusted input pdf file paths until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.