VYPR
← All advisories
High severityOSV Advisory· Published Feb 4, 2020· Updated Aug 4, 2024

CVE-2019-10787

CVE-2019-10787

Description

im-resize versions before 2.3.3 contain a command injection flaw in the cmd argument, allowing unauthenticated remote code execution.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

im-resize versions before 2.3.3 contain a command injection flaw in the `cmd` argument, allowing unauthenticated remote code execution.

Vulnerability

The im-resize npm package (versions through 2.3.2) suffers from a command injection vulnerability in the cmd argument used within index.js. The package invokes ImageMagick's convert command using user-supplied parameters without sanitization, enabling an attacker to inject arbitrary operating system commands [1][2].

Exploitation

The vulnerability is triggered by controlling the image object's path property. Proof-of-concept code demonstrates injecting shell metacharacters (e.g., &) into the path to execute arbitrary commands. No authentication is required; the attack surface is any application that passes unsanitized user input to the im-resize library's processing function [2].

Impact

A remote attacker can execute arbitrary commands with the privileges of the running Node.js process. This can lead to full system compromise, data exfiltration, or further lateral movement within the network [1][2].

Mitigation

The fix was merged into the master branch on GitHub (commit de624da) which adds input validation to reject suspicious characters (&, |, ` `, $, (, ), ||, >, <, ?, ${`) [3]. However, as of the publication date (2020-02-04), a patched version had not yet been published to the npm registry [2]. Users should either update to a patched version when available, apply the input validation from the commit, or restrict usage of untrusted input.

References
  1. NVD - CVE-2019-10787
  2. Snyk Vulnerability Database | Snyk
  3. fix: check image arguments before processing (#19) · Turistforeningen/node-im-resize@de624da

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
im-resizenpm
<= 2.3.2

Affected products

2

Patches

1
de624dacf6a5

fix: check image arguments before processing (#19)

https://github.com/Turistforeningen/node-im-resizeSam SanoopFeb 3, 2020via ghsa
commit
1 file changed · +4 0
  • index.js+4 0 modified
    @@ -7,13 +7,17 @@ var join = require('path').join;
 var sprintf = require('util').format;
 
 module.exports = function(image, output, cb) {
+  if(/;|&|`|\$|\(|\)|\|\||\||!|>|<|\?|\${/g.test(JSON.stringify(image))) {
+    console.log('Input Validation failed, Suspicious Characters found');
+  } else {
   var cmd = module.exports.cmd(image, output);
   exec(cmd, {timeout: 30000}, function(e, stdout, stderr) {
     if (e) { return cb(e); }
     if (stderr) { return cb(new Error(stderr)); }
 
     return cb(null, output.versions);
   });
+}
 };
 
 /**

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.