Critical severityNVD Advisory· Published Feb 18, 2020· Updated Aug 4, 2024
CVE-2019-10791
CVE-2019-10791
Description
promise-probe before 0.10.0 is vulnerable to command injection via unsanitized user input in the file, outputFile, and options parameters.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
promise-probe before 0.10.0 is vulnerable to command injection via unsanitized user input in the file, outputFile, and options parameters.
Vulnerability
Details
CVE-2019-10791 is a command injection vulnerability in the promise-probe package, an FFprobe wrapper, affecting versions prior to 0.10.0. The vulnerability exists in the ffprobe(file) and createMuteOgg(outputFile, options) functions, which execute system commands using user-supplied arguments without validation [1][2].
Exploitation
An attacker can control the file, outputFile, and options parameters, injecting arbitrary shell commands. For example, providing a string like "& touch JHU" as the file argument to ffprobe results in command execution [3]. No authentication is required, as these functions are exposed directly to user input.
Impact
Successful exploitation allows remote attackers to execute arbitrary commands on the server, potentially leading to complete system compromise, data exfiltration, or further lateral movement.
Mitigation
Users should upgrade promise-probe to version 0.10.0 or later. The fix includes input validation and proper error handling to prevent command injection [2].
References
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
promise-probenpm | < 0.1.10 | 0.1.10 |
Affected products
2- Snyk/promise-probev5Range: All versions prior to version 0.10.0
Patches
10d9affb67fc1resolve vulnerability
3 files changed · +20 −3
index.js+7 −1 modified@@ -7,7 +7,7 @@ function ffprobe(file) { throw new Error('no file provided'); fs_1.stat(file, (err, stats) => { if (err) - throw err; + return reject(new Error('wrong file provided')); child_process_1.exec('ffprobe -v quiet -print_format json -show_format -show_streams ' + file, (error, stdout, stderr) => { if (error) return reject(error); @@ -34,6 +34,12 @@ function ffprobe(file) { exports.ffprobe = ffprobe; function createMuteOgg(outputFile, options) { return new Promise((resolve, reject) => { + if (!outputFile || !options || !options.seconds || !options.sampleRate || !options.numOfChannels) + return reject(new Error('malformed props to createMuteOgg')); + if (!Number.isInteger(options.seconds) || + !Number.isInteger(options.sampleRate) || + !Number.isInteger(options.numOfChannels)) + return reject(new Error('malformed numerico options prop for createMuteOgg')); const ch = options.numOfChannels === 1 ? 'mono' : 'stereo'; child_process_1.exec('ffmpeg -f lavfi -i anullsrc=r=' + options.sampleRate +
index.js.map+1 −1 modified@@ -1 +1 @@ -{"version":3,"file":"index.js","sourceRoot":"","sources":["index.ts"],"names":[],"mappings":";AAAA,iDAAoC;AACpC,2BAAyB;AAgHzB,iBAAwB,IAAY;IAClC,OAAO,IAAI,OAAO,CAAW,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QAC/C,IAAI,CAAC,IAAI;YAAE,MAAM,IAAI,KAAK,CAAC,kBAAkB,CAAC,CAAA;QAE9C,SAAI,CAAC,IAAI,EAAE,CAAC,GAAG,EAAE,KAAK,EAAE,EAAE;YACxB,IAAI,GAAG;gBAAE,MAAM,GAAG,CAAA;YAElB,oBAAI,CAAC,iEAAiE,GAAG,IAAI,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,EAAE;gBACvG,IAAI,KAAK;oBAAE,OAAO,MAAM,CAAC,KAAK,CAAC,CAAA;gBAC/B,IAAI,CAAC,MAAM;oBAAE,OAAO,MAAM,CAAC,IAAI,KAAK,CAAC,mBAAmB,GAAG,IAAI,CAAC,CAAC,CAAA;gBAEjE,IAAI,QAAkB,CAAA;gBAEtB,IAAI;oBACF,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAA;iBAC9B;gBAAC,OAAO,GAAG,EAAE;oBACZ,OAAO,MAAM,CAAC,GAAG,CAAC,CAAA;iBACnB;gBAED,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,QAAQ,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE;oBAChD,IAAI,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,UAAU,KAAK,OAAO;wBAAE,QAAQ,CAAC,KAAK,GAAG,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAiB,CAAA;oBACpG,IAAI,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,UAAU,KAAK,OAAO,IAAI,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,QAAQ;wBAC5E,QAAQ,CAAC,KAAK,GAAG,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAiB,CAAA;iBACvD;gBACD,OAAO,CAAC,QAAQ,CAAC,CAAA;YACnB,CAAC,CAAC,CAAA;QACJ,CAAC,CAAC,CAAA;IACJ,CAAC,CAAC,CAAA;AACJ,CAAC;AA5BD,0BA4BC;AAED,uBACE,UAAkB,EAClB,OAAuE;IAEvE,OAAO,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QAC3C,MAAM,EAAE,GAAG,OAAO,CAAC,aAAa,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAA;QAE1D,oBAAI,CACF,gCAAgC;YAC9B,OAAO,CAAC,UAAU;YAClB,MAAM;YACN,EAAE;YACF,MAAM;YACN,OAAO,CAAC,OAAO;YACf,kBAAkB;YAClB,UAAU,EACZ,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,EAAE;YACxB,IAAI,KAAK;gBAAE,OAAO,MAAM,CAAC,KAAK,CAAC,CAAA;YAG/B,OAAO,CAAC,IAAI,CAAC,CAAA;QACf,CAAC,CACF,CAAA;IACH,CAAC,CAAC,CAAA;AACJ,CAAC;AAxBD,sCAwBC;AAED,yBAAgC,SAAiB,EAAE,UAAkB,EAAE,OAAgB;IACrF,OAAO,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QAC3C,OAAO,CAAC,SAAS,CAAC;aACf,IAAI,CAAC,MAAM,CAAC,EAAE;YACb,IAAI,CAAC,OAAO;gBAAE,OAAO,GAAG,QAAQ,CAAC,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAA;YACxD,aAAa,CAAC,UAAU,EAAE;gBACxB,OAAO,EAAE,OAAO;gBAChB,UAAU,EAAE,QAAQ,CAAC,MAAM,CAAC,KAAK,CAAC,WAAW,CAAC;gBAC9C,aAAa,EAAE,MAAM,CAAC,KAAK,CAAC,QAAQ;aACrC,CAAC;iBACC,IAAI,CAAC,GAAG,EAAE;gBACT,OAAO,CAAC,IAAI,CAAC,CAAA;YACf,CAAC,CAAC;iBACD,KAAK,CAAC,GAAG,CAAC,EAAE;gBACX,MAAM,CAAC,GAAG,CAAC,CAAA;YACb,CAAC,CAAC,CAAA;QACN,CAAC,CAAC;aACD,KAAK,CAAC,GAAG,CAAC,EAAE;YACX,MAAM,CAAC,GAAG,CAAC,CAAA;QACb,CAAC,CAAC,CAAA;IACN,CAAC,CAAC,CAAA;AACJ,CAAC;AArBD,0CAqBC"} \ No newline at end of file +{"version":3,"file":"index.js","sourceRoot":"","sources":["index.ts"],"names":[],"mappings":";AAAA,iDAAoC;AACpC,2BAAyB;AAiHzB,iBAAwB,IAAY;IAClC,OAAO,IAAI,OAAO,CAAW,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QAC/C,IAAI,CAAC,IAAI;YAAE,MAAM,IAAI,KAAK,CAAC,kBAAkB,CAAC,CAAA;QAE9C,SAAI,CAAC,IAAI,EAAE,CAAC,GAAG,EAAE,KAAK,EAAE,EAAE;YACxB,IAAI,GAAG;gBAAE,OAAO,MAAM,CAAC,IAAI,KAAK,CAAC,qBAAqB,CAAC,CAAC,CAAA;YAExD,oBAAI,CAAC,iEAAiE,GAAG,IAAI,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,EAAE;gBACvG,IAAI,KAAK;oBAAE,OAAO,MAAM,CAAC,KAAK,CAAC,CAAA;gBAC/B,IAAI,CAAC,MAAM;oBAAE,OAAO,MAAM,CAAC,IAAI,KAAK,CAAC,mBAAmB,GAAG,IAAI,CAAC,CAAC,CAAA;gBAEjE,IAAI,QAAkB,CAAA;gBAEtB,IAAI;oBACF,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAA;iBAC9B;gBAAC,OAAO,GAAG,EAAE;oBACZ,OAAO,MAAM,CAAC,GAAG,CAAC,CAAA;iBACnB;gBAED,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,QAAQ,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE;oBAChD,IAAI,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,UAAU,KAAK,OAAO;wBAAE,QAAQ,CAAC,KAAK,GAAG,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAiB,CAAA;oBACpG,IAAI,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,UAAU,KAAK,OAAO,IAAI,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,QAAQ;wBAC5E,QAAQ,CAAC,KAAK,GAAG,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAiB,CAAA;iBACvD;gBACD,OAAO,CAAC,QAAQ,CAAC,CAAA;YACnB,CAAC,CAAC,CAAA;QACJ,CAAC,CAAC,CAAA;IACJ,CAAC,CAAC,CAAA;AACJ,CAAC;AA5BD,0BA4BC;AAED,uBACE,UAAkB,EAClB,OAAuE;IAEvE,OAAO,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QAC3C,IAAI,CAAC,UAAU,IAAI,CAAC,OAAO,IAAI,CAAC,OAAO,CAAC,OAAO,IAAI,CAAC,OAAO,CAAC,UAAU,IAAI,CAAC,OAAO,CAAC,aAAa;YAC9F,OAAO,MAAM,CAAC,IAAI,KAAK,CAAC,kCAAkC,CAAC,CAAC,CAAA;QAE9D,IACE,CAAC,MAAM,CAAC,SAAS,CAAC,OAAO,CAAC,OAAO,CAAC;YAClC,CAAC,MAAM,CAAC,SAAS,CAAC,OAAO,CAAC,UAAU,CAAC;YACrC,CAAC,MAAM,CAAC,SAAS,CAAC,OAAO,CAAC,aAAa,CAAC;YAExC,OAAO,MAAM,CAAC,IAAI,KAAK,CAAC,mDAAmD,CAAC,CAAC,CAAA;QAE/E,MAAM,EAAE,GAAG,OAAO,CAAC,aAAa,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAA;QAE1D,oBAAI,CACF,gCAAgC;YAC9B,OAAO,CAAC,UAAU;YAClB,MAAM;YACN,EAAE;YACF,MAAM;YACN,OAAO,CAAC,OAAO;YACf,kBAAkB;YAClB,UAAU,EACZ,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,EAAE;YACxB,IAAI,KAAK;gBAAE,OAAO,MAAM,CAAC,KAAK,CAAC,CAAA;YAG/B,OAAO,CAAC,IAAI,CAAC,CAAA;QACf,CAAC,CACF,CAAA;IACH,CAAC,CAAC,CAAA;AACJ,CAAC;AAlCD,sCAkCC;AAED,yBAAgC,SAAiB,EAAE,UAAkB,EAAE,OAAgB;IACrF,OAAO,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QAC3C,OAAO,CAAC,SAAS,CAAC;aACf,IAAI,CAAC,MAAM,CAAC,EAAE;YACb,IAAI,CAAC,OAAO;gBAAE,OAAO,GAAG,QAAQ,CAAC,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAA;YACxD,aAAa,CAAC,UAAU,EAAE;gBACxB,OAAO,EAAE,OAAO;gBAChB,UAAU,EAAE,QAAQ,CAAC,MAAM,CAAC,KAAK,CAAC,WAAW,CAAC;gBAC9C,aAAa,EAAE,MAAM,CAAC,KAAK,CAAC,QAAQ;aACrC,CAAC;iBACC,IAAI,CAAC,GAAG,EAAE;gBACT,OAAO,CAAC,IAAI,CAAC,CAAA;YACf,CAAC,CAAC;iBACD,KAAK,CAAC,GAAG,CAAC,EAAE;gBACX,MAAM,CAAC,GAAG,CAAC,CAAA;YACb,CAAC,CAAC,CAAA;QACN,CAAC,CAAC;aACD,KAAK,CAAC,GAAG,CAAC,EAAE;YACX,MAAM,CAAC,GAAG,CAAC,CAAA;QACb,CAAC,CAAC,CAAA;IACN,CAAC,CAAC,CAAA;AACJ,CAAC;AArBD,0CAqBC"} \ No newline at end of file
index.ts+12 −1 modified@@ -1,5 +1,6 @@ import { exec } from 'child_process' import { stat } from 'fs' +import { reject } from 'bluebird' export interface IFFFormat { filename: string @@ -116,7 +117,7 @@ export function ffprobe(file: string): Promise<IFfprobe> { if (!file) throw new Error('no file provided') stat(file, (err, stats) => { - if (err) throw err + if (err) return reject(new Error('wrong file provided')) exec('ffprobe -v quiet -print_format json -show_format -show_streams ' + file, (error, stdout, stderr) => { if (error) return reject(error) @@ -146,6 +147,16 @@ export function createMuteOgg( options: { seconds: number; sampleRate: number; numOfChannels: number } ) { return new Promise<true>((resolve, reject) => { + if (!outputFile || !options || !options.seconds || !options.sampleRate || !options.numOfChannels) + return reject(new Error('malformed props to createMuteOgg')) + + if ( + !Number.isInteger(options.seconds) || + !Number.isInteger(options.sampleRate) || + !Number.isInteger(options.numOfChannels) + ) + return reject(new Error('malformed numerico options prop for createMuteOgg')) + const ch = options.numOfChannels === 1 ? 'mono' : 'stereo' exec(
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-vmqq-7qvx-68qxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-10791ghsaADVISORY
- github.com/dottgonzo/node-promise-probe/commit/0d9affb67fc1ad985903536d35372cf55efe5a45ghsaWEB
- github.com/dottgonzo/node-promise-probe/commit/0d9affb67fc1ad985903536d35372cf55efe5a45%2Cmitrex_refsource_MISC
- snyk.io/vuln/SNYK-JS-PROMISEPROBE-546816ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.