Command Injection on tinygltf
Description
The tinygltf library uses the C library function wordexp() to perform file path expansion on untrusted paths that are provided from the input file. This function allows for command injection by using backticks. An attacker could craft an untrusted path input that would result in a path expansion. We recommend upgrading to 2.6.0 or past commit 52ff00a38447f06a17eab1caa2cf0730a119c751
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2Patches
Vulnerability mechanics
Root cause
"The library uses the wordexp() function to expand file paths from untrusted input, which can lead to command injection."
Attack vector
An attacker can craft an untrusted path within a glTF input file. When the library processes this path, the `wordexp()` function will expand it, potentially executing arbitrary commands. This vulnerability is triggered during the file path processing stage of the glTF loading mechanism. The expansion allows for command injection through the use of backticks within the path [ref_id=1].
Affected code
The vulnerability lies in the use of the `wordexp()` function for processing paths within the tinygltf library. The commit associated with this fix specifically targets the removal of this function call, indicating that the relevant code path involves file path handling during glTF asset loading [ref_id=2].
What the fix does
The fix removes the call to the `wordexp()` function for expanding file paths. The commit message states that file path expansion is not necessary for glTF asset paths and disabling it removes the security risk associated with `wordexp()` [ref_id=2]. This change prevents the library from interpreting special shell characters in paths, thereby mitigating the command injection vulnerability.
Preconditions
- inputThe attacker must provide a crafted glTF file containing a malicious path.
Generated on Jun 10, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- www.debian.org/security/2022/dsa-5232mitrevendor-advisoryx_refsource_DEBIAN
- bugs.chromium.org/p/oss-fuzz/issues/detailmitrex_refsource_MISC
- github.com/syoyo/tinygltf/blob/master/README.mdmitrex_refsource_MISC
- github.com/syoyo/tinygltf/commit/52ff00a38447f06a17eab1caa2cf0730a119c751mitrex_refsource_MISC
- github.com/syoyo/tinygltf/issues/368mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.