CVE-2026-26831

Vulnerability

Overview The textract Node.js module (through version 2.5.0) contains an OS command injection vulnerability in multiple file extractors. The root cause is that the file path parameter (filePath) is passed directly to child_process.exec() in lib/extractors/doc.js, rtf.js, dxf.js, images.js, and lib/util.js without adequate sanitization [1][2]. This allows an attacker to inject arbitrary operating system commands by crafting a malicious filename.

Exploitation

Scenario An attacker can exploit this vulnerability by providing a file with a specially crafted name that contains command injection payloads. For example, when textract processes a file like test; malicious_command, the unsanitized file path is included in the shell command executed by child_process.exec(). The attack does not require authentication beyond the ability to supply a file for extraction — any route or interface that uses textract to process user-supplied filenames is a potential vector [2].

Impact

Successful exploitation enables an attacker to execute arbitrary OS commands with the privileges of the textract process. This can lead to full compromise of the server, including data exfiltration, installation of backdoors, or lateral movement within the network. The vulnerability is present in all extractors that rely on child_process.exec() with the unsanitized path.

Mitigation

Status As of the published date (2026-03-25), no fixed version has been released by the maintainers. The last commit on the official repository is several years old, suggesting the project may be abandoned [1]. Users must either sanitize file paths before passing them to textract or replace the library with an actively maintained alternative.