Critical severityOSV Advisory· Published Jul 25, 2022· Updated Sep 17, 2024

Command Injection

CVE-2020-28446

Description

The package ntesseract before 0.2.9 are vulnerable to Command Injection via lib/tesseract.js.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
ntesseractnpm	< 0.2.9	0.2.9

Affected products

Taoyuan/NtesseractOSV
Range: v0.0.1, v0.0.2, v0.0.3, …

Patches

fcbc36f38179

fix: vulnerable to command injection

https://github.com/taoyuan/ntesseracttyDec 14, 2020via ghsa

commit

2 files changed · +5 −1

lib/tesseract.js+4 −0 modified

@@ -36,6 +36,10 @@ const Tesseract = {
   outputEncoding: 'UTF-8',
 
   command: function (image, options) {
+    if (image.startsWith('"')) {
+      image = '"' + image + '"';
+    }
+
     // assemble tesseract command
     const command = [options.binary, image, options.output];

package.json+1 −1 modified

@@ -30,6 +30,6 @@
   },
   "license": "MIT",
   "engine": {
-    "node": ">=0.6"
+    "node": ">=8.0"
   }
 }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-w868-4576-rv24ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2020-28446ghsaADVISORY
github.com/taoyuan/ntesseract/commit/fcbc36f381798b4362179c0cdf9961b437c7b619ghsax_refsource_MISCWEB
security.snyk.io/vuln/SNYK-JS-NTESSERACT-1050982ghsax_refsource_MISCWEB

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.009
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000