VYPR
← All advisories
Critical severityOSV Advisory· Published Mar 26, 2019· Updated Aug 4, 2024

CVE-2019-10061

CVE-2019-10061

Description

Command injection vulnerability in node-opencv prior to 6.1.0 allows arbitrary command execution via unvalidated user input in utils/find-opencv.js.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Command injection vulnerability in node-opencv prior to 6.1.0 allows arbitrary command execution via unvalidated user input in utils/find-opencv.js.

Vulnerability

utils/find-opencv.js in node-opencv (OpenCV bindings for Node.js) prior to version 6.1.0 does not validate user input passed to the exec function from child_process. The script accepts command-line arguments (e.g., --cflags, --libs) without sanitization, allowing injection of arbitrary shell commands. The vulnerability exists in all versions before 6.1.0, as confirmed by the official description and the fix commit that restricts allowed flags [1][3].

Exploitation

An attacker can exploit this vulnerability by providing a malicious command-line argument containing shell metacharacters (e.g., backticks, semicolons, pipes) when the install script runs. No special privileges are required beyond the ability to trigger the vulnerable script on the target system. For example, running node utils/find-opencv.js '--exists; echo pwned' would execute echo pwned after the intended flag check [1][3]. The fix commit restricts accepted flags to a whitelist (--cflags, --libs, and --exists), preventing arbitrary input [3].

Impact

Successful exploitation allows arbitrary command execution with the privileges of the process running node-opencv, typically an unprivileged user. This can lead to full system compromise, including data exfiltration, installation of malware, or lateral movement within the network. The vulnerability is classified as high severity (CVSS base score 9.8) per NVD assessment [1].

Mitigation

The vulnerability is fixed in node-opencv version 6.1.0. Users should upgrade to at least version 6.1.0 immediately. The fix explicitly restricts accepted flags to --cflags, --libs, or --exists, rejecting any other input [3]. No workaround is available for earlier versions; upgrading is the only reliable mitigation. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of this analysis.

References
  1. NVD - CVE-2019-10061
  2. Remove untrusted input to exec · peterbraden/node-opencv@81a4b86

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
opencvnpm
< 6.1.06.1.0

Affected products

2

Patches

2
aaece6921d73

Fix install script

https://github.com/peterbraden/node-opencvPeter BradenMar 20, 2019via ghsa
commit
3 files changed · +10 3
  • README.md+1 2 modified
    @@ -13,8 +13,7 @@ cool, I'd love to hear about it!
 
 ## Install
 
-You'll need OpenCV 2.3.1 or newer installed before installing node-opencv.  Note
-that OpenCV 3.x is not yet fully supported.
+You'll need OpenCV 2.3.1 or newer installed before installing node-opencv.
 
 ## Specific for macOS
 Install OpenCV using brew
  • src/FaceRecognizer.h+1 0 modified
    @@ -8,6 +8,7 @@ namespace cv {
   using cv::face::FaceRecognizer;
 }
 #else
+#warning using opencv2 contrib
 #include "opencv2/contrib/contrib.hpp"
 #endif
  • utils/find-opencv.js+8 1 modified
    @@ -2,7 +2,14 @@
 
 var exec = require("child_process").exec;
 var fs = require("fs");
-var flag = "--exists";
+
+var flags = {
+  '--cflags' : '--cflags',
+  '--libs' : '--libs'
+}
+var flag = flags[process.argv[2]] || '--exists'
+
+
 
 // Normally |pkg-config opencv ...| could report either OpenCV 2.x or OpenCV 3.y
 // depending on what is installed.  To enable both 2.x and 3.y to co-exist on
81a4b8620188

Remove untrusted input to exec

https://github.com/peterbraden/node-opencvPeter BradenMar 20, 2019via ghsa
commit
1 file changed · +3 3
  • utils/find-opencv.js+3 3 modified
    @@ -2,13 +2,13 @@
 
 var exec = require("child_process").exec;
 var fs = require("fs");
-var flag = process.argv[2] || "--exists";
+var flag = "--exists";
 
 // Normally |pkg-config opencv ...| could report either OpenCV 2.x or OpenCV 3.y
 // depending on what is installed.  To enable both 2.x and 3.y to co-exist on
 // the same machine, the opencv.pc for 3.y can be installed as opencv3.pc and
 // then selected by |export PKG_CONFIG_OPENCV3=1| before building node-opencv.
-var opencv = process.env.PKG_CONFIG_OPENCV3 === "1" ? "opencv3" : '"opencv >= 2.3.1"';
+var opencv = process.env.PKG_CONFIG_OPENCV3 === "1" ? "opencv3" : ' "opencv >= 2.3.1"';
 
 function main(){
     //Try using pkg-config, but if it fails and it is on Windows, try the fallback
@@ -18,7 +18,7 @@ function main(){
                 fallback();
             }
             else{
-                throw new Error("ERROR: failed to run: pkg-config", opencv, flag);
+              throw new Error("ERROR: failed to run: pkg-config" + opencv + " " + flag + " - Is OpenCV installed?");
             }
         }
         else{

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.