CVE-2019-10788
CRITICALim-metadata < 3.0.1 - OS Command Injection via Exec Argument
Title source: llmDescription
im-metadata through 3.0.1 allows remote attackers to execute arbitrary commands via the "exec" argument. It is possible to inject arbitrary commands as part of the metadata options which is given to the "exec" function.
References (2)
Core 2
Core References
Exploit, Patch, Third Party Advisory x_refsource_misc
https://snyk.io/vuln/SNYK-JS-IMMETADATA-544184
Patch, Third Party Advisory x_refsource_confirm
https://github.com/Turistforeningen/node-im-metadata/commit/ea15dddbe0f65694bfde36b78dd488e90f246639
Scores
CVSS v3
9.8
EPSS
0.0242
EPSS Percentile
82.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-78
Status
published
Products (2)
dnt/im-metadata
< 3.0.1
npm/im-metadata
0npm
Published
Feb 04, 2020
Tracked Since
Feb 18, 2026