PT-2026-37303 · Npm · Exiftool-Vendored
Published
2026-05-05
·
Updated
2026-05-05
·
CVE-2026-43893
CVSS v3.1
8.2
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N |
Impact
exiftool-vendored starts ExifTool in -stay open True -@ - mode, where arguments are read from stdin one per line. In affected versions, several caller-supplied strings were interpolated into ExifTool arguments without rejecting line delimiters. A newline or carriage return inside one of those strings could split a single intended argument into multiple ExifTool arguments, allowing argument injection. The fix also rejects NUL bytes as unsafe control characters.Applications that pass attacker-controlled strings to affected APIs may allow an attacker to make ExifTool read files accessible to the ExifTool process, or write output to attacker-chosen file system paths accessible to that process. No remote code execution has been demonstrated.
The reported write-path issue is caused by unsanitized tag keys. Tag values passed to
ExifTool#write are not affected, because WriteTask already encodes whitespace characters in values (e.g. -> ) before transmission.Confirmed affected inputs:
- Tag-name arguments / tag keys — keys of the
tagsobject passed toExifTool#write; entries of theretainoption toExifTool#deleteAllTags; entries of thenumericTagsoption toExifTool#read; thetagnameargument toExifTool#extractBinaryTagand#extractBinaryTagToBuffer. - Filename / path arguments to
ExifTool#write,#read,#readRaw,#deleteAllTags,#rewriteAllTags,#extractBinaryTag,#extractBinaryTagToBuffer, and the binary-extraction convenience methods#extractJpgFromRaw,#extractPreview, and#extractThumbnail.path.resolve()does not strip newlines, so an application that accepts attacker-controlled filenames containing newline characters was vulnerable. - The
imageHashTypeoption toExifTool#read. TypeScript types restrict this to a literal union, but JS callers or callers with weakened type checking could reach the sink.
Applications that only pass hardcoded strings for tag names, options, and filenames are not affected.
Patches
Fixed in v35.19.0. Two layers of defense:
- Per-site input validation. A new
validateTagNamehelper rejects any tag-name string containing characters outside the ExifTool tag grammar (letters, digits,:,-,*,?,+,#). Applied at every tag-name interpolation site. - Defense-in-depth at the command renderer.
ExifToolTask.renderCommandnow rejects any argument containingr,0before it is sent to the ExifTool process. This catches injection via filename arguments, option values, and any future interpolation site that forgets the per-site validator.
Workarounds
Upgrade to v35.19.0 or later.
If upgrading immediately is not possible, reject untrusted strings containing control characters before passing them to the affected APIs. Conservative guard:
function assertSafeForExifTool(s: string): void {
if (typeof s !== "string" || /[x00-x20=<>]/.test(s)) {
throw new Error("Rejected unsafe string for ExifTool");
}
}Apply to tag names,
retain / numericTags entries, binary-extraction tag names, filenames, and the imageHashType option. This is a denylist and is strictly weaker than the library's internal validator; it is sufficient to block the known PoCs but will accept strings that the library itself now rejects.Resources
- ExifTool
-stay open/ argument-file documentation: https://exiftool.org/exiftool pod.html#stay open-FLAG - ExifTool tag-name reference: https://exiftool.org/TagNames/
- CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') — https://cwe.mitre.org/data/definitions/88.html
Credit
- Reporter: Hank Tam
- Affiliation: Independent
Fix
Argument Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Exiftool-Vendored