CVE-2023-39018

Vulnerability

Description CVE-2023-39018 describes a code injection vulnerability in the net.bramp.ffmpeg.FFmpeg constructor of the ffmpeg-cli-wrapper library (version 0.7.0 and below). The constructor is designed to accept a path to the FFmpeg executable as a string argument. According to the disclosure, if an attacker can supply an uncontrolled path, they could execute arbitrary commands, for example by passing "C:/Windows/System32/calc.exe" instead of the legitimate FFmpeg binary [1][4].

Attack

Surface and Dispute The vulnerability assumes that the library user passes untrusted input into the constructor. The issue is extensively disputed by multiple third parties because in typical usage the executable path is a hard‑coded constant or comes from a trusted configuration, never from an untrusted source [1]. The library is a Java wrapper around the command‑line FFmpeg tool and, as documented, requires the user to provide the correct path to FFmpeg on the system [2]. The constructor itself performs no sanitization, as it expects the developer to control the input [3].

Impact and

Mitigation If the vulnerability were exploitable, it would allow an attacker who can control the path argument to run arbitrary executables with the privileges of the Java application. However, no realistic attack vector has been demonstrated where an end‑user could supply malicious input to this constructor. The project maintainer has noted that the constructor is not intended to accept untrusted data, and typical usage does not expose it to untrusted input [4]. The latest version of the library (0.9.1) is unaffected; the reported version 0.7.0 is outdated. Users are advised to update to a current release and ensure that the executable path is always controlled by trusted code.