Description
utils/find-opencv.js in node-opencv (aka OpenCV bindings for Node.js) prior to 6.1.0 is vulnerable to Command Injection. It does not validate user input allowing attackers to execute arbitrary commands.
References (3)
Core 3
Core References
Third Party Advisory x_refsource_misc
https://www.npmjs.com/advisories/789
Patch, Third Party Advisory x_refsource_misc
https://github.com/peterbraden/node-opencv/commit/81a4b8620188e89f7e4fc985f3c89b58d4bcc86b
Patch, Third Party Advisory x_refsource_misc
https://github.com/peterbraden/node-opencv/commit/aaece6921d7368577511f06c94c99dd4e9653563
Scores
CVSS v3
9.8
EPSS
0.0424
EPSS Percentile
89.7%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-78
Status
published
Products (2)
node-opencv_project/node-opencv
< 6.1.0
npm/opencv
0 - 6.1.0npm
Published
Mar 26, 2019
Tracked Since
Feb 18, 2026