CVE-2019-10788
Description
im-metadata through 3.0.1 allows command injection via the 'exec' argument, enabling remote attackers to execute arbitrary commands.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
im-metadata through 3.0.1 allows command injection via the 'exec' argument, enabling remote attackers to execute arbitrary commands.
Vulnerability
Overview
CVE-2019-10788 is a command injection vulnerability in the npm package im-metadata, affecting all versions up to 3.0.1. The package is used to retrieve image metadata as a JSON object using ImageMagick's identify command. The vulnerability stems from insufficient input sanitization: the package passes user-supplied metadata options directly to the exec function without proper validation, allowing an attacker to inject arbitrary shell commands [1][2].
Attack
Vector
The vulnerability is triggered by passing malicious input through the exec argument when calling the package's function. For example, an attacker could supply a file path containing shell metacharacters such as ;, |, or backticks. A proof-of-concept (PoC) provided by the Snyk Security Team demonstrates exploitation by appending a command after the file path, like foo.jpg;ls, which executes the ls command [2]. No authentication is required, and the attack can be carried out remotely if the application accepts user-controlled filenames or options.
Impact
Successful exploitation allows an attacker to execute arbitrary operating system commands with the privileges of the application process. This could lead to full compromise of the affected system, including data exfiltration, installation of malware, or further lateral movement within the network. The impact is rated as critical due to the ease of exploitation and the potential for complete system takeover [1].
Mitigation
The issue was addressed in a commit to the package's master branch on GitHub, which added input validation by checking the path argument for suspicious characters before processing [3]. However, as of the publication date, a patched version had not been published to the npm registry. Users of im-metadata should upgrade to a patched version as soon as it becomes available or implement input sanitization and avoid passing untrusted data to the exec argument. The repository has since been archived [3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
im-metadatanpm | <= 3.0.1 | — |
Affected products
2- im-metadata/im-metadatadescription
Patches
1ea15dddbe0f6fix: check path argument before processing (#10)
1 file changed · +9 −6
index.js+9 −6 modified@@ -9,15 +9,18 @@ module.exports = function(path, opts, cb) { opts = {}; } - var cmd = module.exports.cmd(path, opts); - opts.timeout = opts.timeout || 5000; - - exec(cmd, opts, function(e, stdout, stderr) { - if (e) { return cb(e); } + if(/;|&|`|\$|\(|\)|\|\||\||!|>|<|\?|\${/g.test(JSON.stringify(path))) { + console.log('Input Validation failed, Suspicious Characters found'); + } else { + var cmd = module.exports.cmd(path, opts); + opts.timeout = opts.timeout || 5000; + exec(cmd, opts, function(e, stdout, stderr) { + if (e) { return cb(e); } if (stderr) { return cb(new Error(stderr)); } - return cb(null, module.exports.parse(path, stdout, opts)); + return cb(null, module.exports.parse(path, stdout, opts)); }); +} }; module.exports.cmd = function(path, opts) {
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-qfxv-qqvg-24pgghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-10788ghsaADVISORY
- github.com/Turistforeningen/node-im-metadata/commit/ea15dddbe0f65694bfde36b78dd488e90f246639ghsax_refsource_CONFIRMWEB
- snyk.io/vuln/SNYK-JS-IMMETADATA-544184ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.