Critical severity9.8NVD Advisory· Published Oct 23, 2017· Updated May 13, 2026
CVE-2014-3741
CVE-2014-3741
Description
The printDirect function in lib/printer.js in the node-printer module 0.0.1 and earlier for Node.js allows remote attackers to execute arbitrary commands via unspecified characters in the lpr command.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
printernpm | < 0.0.2 | 0.0.2 |
Affected products
1- cpe:2.3:a:node-printer_project:node-printer:*:*:*:*:*:node.js:*:*Range: <=0.0.1
Patches
1e001e38738c1Removed possible command injection
1 file changed · +1 −1
lib/printer.js+1 −1 modified@@ -93,7 +93,7 @@ function printDirect(parameters){ }else if (!printer_helper.printDirect){// should be POSIX var temp_file_name = path.join(os.tmpDir(),"printing"); fs.writeFileSync(temp_file_name, data); - child_process.exec('lpr -P'+printer+' -oraw -r'+' '+temp_file_name, function(err, stdout, stderr){ + child_process.execFile('lpr', ['-P' + printer, '-oraw', '-r', temp_file_name], function(err, stdout, stderr){ if (err !== null) { error('ERROR: ' + err); return;
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/tojocky/node-printer/commit/e001e38738c17219a1d9dd8c31f7d82b9c0013c7nvdIssue TrackingPatchWEB
- www.openwall.com/lists/oss-security/2014/05/13/1nvdMailing ListThird Party AdvisoryWEB
- www.openwall.com/lists/oss-security/2014/05/15/2nvdMailing ListThird Party AdvisoryWEB
- github.com/advisories/GHSA-5c8j-xr24-2665ghsaADVISORY
- nodesecurity.io/advisories/printer_potential_command_injectionnvdThird Party Advisory
- nvd.nist.gov/vuln/detail/CVE-2014-3741ghsaADVISORY
- www.npmjs.com/advisories/27ghsaWEB
News mentions
0No linked articles in our index yet.