CVE-2019-10787
CRITICALim-resize < 2.3.2 - OS Command Injection via Exec Argument
Title source: llmDescription
im-resize through 2.3.2 allows remote attackers to execute arbitrary commands via the "exec" argument. The cmd argument used within index.js, can be controlled by user without any sanitization.
References (2)
Core 2
Core References
Exploit, Patch, Third Party Advisory x_refsource_misc
https://snyk.io/vuln/SNYK-JS-IMRESIZE-544183
Patch, Third Party Advisory x_refsource_confirm
https://github.com/Turistforeningen/node-im-resize/commit/de624dacf6a50e39fe3472af1414d44937ce1f03
Scores
CVSS v3
9.8
EPSS
0.0380
EPSS Percentile
88.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-78
Status
published
Products (2)
dnt/im-resize
< 2.3.2
npm/im-resize
0npm
Published
Feb 04, 2020
Tracked Since
Feb 18, 2026