CVE-2018-3746
Description
A command injection vulnerability in pdfinfojs <=0.3.6 allows an attacker to execute arbitrary commands on the victim's machine.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A command injection vulnerability in pdfinfojs <=0.3.6 allows an attacker to execute arbitrary commands on the victim's machine.
Vulnerability
The pdfinfojs NPM module versions <= 0.3.6 contains a command injection vulnerability in the getInfoSync and getInfo functions. The user-supplied filename is concatenated into a shell command string without sanitization, using exec and execSync functions from Node's child_process module [1][2]. This allows an attacker who can control the filename parameter to inject arbitrary shell commands.
Exploitation
An attacker must supply a malicious filename to the pdfinfo constructor, which gets placed into the additional options array and passed directly to exec / execSync via the command template pdfinfo . No authentication or special privilege is needed beyond the ability to pass a crafted filename to the module. The attacker can leverage shell metacharacters such as backticks or $() in the filename string to execute arbitrary commands [1][2][3].
Impact
Successful command injection allows the attacker to execute arbitrary operating system commands with the privileges of the Node.js process. This can lead to full compromise of the host, including data exfiltration, installation of malware, or lateral movement within the network [1][2].
Mitigation
The vulnerability is fixed in version 0.4.1, released shortly after the disclosure. The fix replaces exec / execSync with execFile / execFileSync, which do not interpret shell metacharacters, and passes the filename as a separate argument rather than concatenated into the command string [2][3]. Users should upgrade to pdfinfojs >= 0.4.1. No workaround is provided for older versions.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pdfinfojsnpm | < 0.4.1 | 0.4.1 |
Affected products
2- HackerOne/pdfinfojsv5Range: <=0.3.6
Patches
15cc59cd8aa13fix: command injection vulnerability
1 file changed · +4 −4
lib/pdfinfo.js+4 −4 modified@@ -1,9 +1,9 @@ -const { exec, execSync } = require('child_process'); +const { execFile, execFileSync } = require('child_process'); const utils = require('./utils'); function pdfinfo (filename, options) { this.options = options || {}; - this.options.additional = ['"' + filename + '"']; + this.options.additional = [filename]; pdfinfo.prototype.add_options = function(optionArray) { if (typeof optionArray.length !== undefined) { @@ -23,7 +23,7 @@ function pdfinfo (filename, options) { pdfinfo.prototype.getInfoSync = function() { const self = this; try { - let data = execSync('pdfinfo ' + self.options.additional.join(' ')).toString('utf8'); + let data = execFileSync('pdfinfo', self.options.additional).toString('utf8'); return utils.parse(data); } catch(err) { throw new Error("pdfinfo error: "+ err.msg); @@ -33,7 +33,7 @@ function pdfinfo (filename, options) { pdfinfo.prototype.getInfo = function(cb) { let self = this; - let child = exec('pdfinfo ' + self.options.additional.join(' '), function(error, stdout, stderr) { + let child = execFile('pdfinfo', self.options.additional, (error, stdout, stderr) => { if (!error) { let data = utils.parse(stdout); if (cb && typeof cb === "function") {
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-3pxp-6963-46r9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-3746ghsaADVISORY
- github.com/fagbokforlaget/pdfinfojs/commit/5cc59cd8aa13ca8d16bb41da8affdfef370ad4fdghsaWEB
- hackerone.com/reports/330957ghsax_refsource_MISCWEB
- www.npmjs.com/advisories/643ghsaWEB
News mentions
0No linked articles in our index yet.