Command Injection
Description
This affects the package total.js before 3.4.7. The issue occurs in the image.pipe and image.stream functions. The type parameter is used to build the command that is then executed using child_process.spawn. The issue occurs because child_process.spawn is called with the option shell set to true and because the type parameter is not properly sanitized.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Command injection in total.js <3.4.7 via unsanitized type parameter in image.pipe/image.stream allows arbitrary command execution.
Vulnerability
Overview
The vulnerability resides in the image.pipe and image.stream functions of the total.js framework (versions before 3.4.7). The type parameter is used to construct a command that is executed via child_process.spawn with the shell option set to true. Because the type parameter is not sanitized, an attacker can inject arbitrary shell commands. [1][2]
Exploitation
An attacker can control the type parameter, for example by passing a malicious string to image.stream() or image.pipe(). No authentication is required if the vulnerable functions are exposed to user input. The proof-of-concept provided by Snyk demonstrates injection using a payload like ;touch HACKED;. [2]
Impact
Successful exploitation allows an attacker to execute arbitrary commands on the server with the privileges of the Node.js process. This can lead to full system compromise, data exfiltration, or further lateral movement within the network. [1][2]
Mitigation
The issue is fixed in total.js version 3.4.7. The fix introduces a whitelist of supported image types (SUPPORTEDIMAGES) and validates the type parameter against it before command execution. [3] Users should upgrade immediately. No workaround is available other than upgrading.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
total.jsnpm | < 3.4.7 | 3.4.7 |
Affected products
2- total.js/total.jsdescription
Patches
16192491ab263Fixed "Command Injection" in `image.stream()` - thank to Sam Sanoop.
1 file changed · +2 −1
image.js+2 −1 modified@@ -38,6 +38,7 @@ const SPAWN_OPT = { shell: true }; const D = require('os').platform().substring(0, 3).toLowerCase() === 'win' ? '"' : '\''; const CMD_CONVERT = { gm: 'gm', im: 'convert', magick: 'magick' }; const CMD_CONVERT2 = { gm: 'gm convert', im: 'convert', magick: 'magick' }; +const SUPPORTEDIMAGES = { jpg: 1, png: 1, gif: 1, apng: 1, jpeg: 1, heif: 1, heic: 1, webp: 1, ico: 1 }; var CACHE = {}; var middlewares = {}; @@ -322,7 +323,7 @@ ImageProto.stream = function(type, writer) { !self.builder.length && self.minify(); - if (!type) + if (!type || !SUPPORTEDIMAGES[type]) type = self.outputType; F.stats.performance.open++;
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-4449-hg37-77v8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-28494ghsaADVISORY
- github.com/totaljs/framework/commit/6192491ab2631e7c1d317c221f18ea613e2c18a5ghsax_refsource_MISCWEB
- snyk.io/vuln/SNYK-JS-TOTALJS-1046672ghsax_refsource_MISCWEB
- www.npmjs.com/package/total.jsghsaWEB
News mentions
0No linked articles in our index yet.