Skip to main content

node-ts-ocr CVE-2025-63705

| EUVD-2025-209722 HIGH
OS Command Injection (CWE-78)
2026-05-07 mitre GHSA-8jh2-3mw6-6pfm
Command Injection Node.js N A
8.8
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 08, 2026 - 19:30 vuln.today
CVSS changed
May 08, 2026 - 17:22 NVD
8.8 (HIGH)
CVE Published
May 07, 2026 - 00:00 nvd
UNKNOWN (no severity yet)
CVE Published
May 07, 2026 - 00:00 nvd
HIGH 8.8

DescriptionNVD

NPM package node-ts-ocr 1.0.15 is vulnerable to OS Command Injection via the invokeImageOcr function in src/index.js.

AnalysisAI

Command injection in node-ts-ocr 1.0.15 enables authenticated attackers to execute arbitrary operating system commands through the invokeImageOcr function. The vulnerability requires low-complexity exploitation with no user interaction, allowing complete compromise of confidentiality, integrity, and availability on affected systems. Public proof-of-concept code exists (GitHub Gist), though EPSS assessment indicates 0.04% probability of active exploitation within 30 days and the vulnerability is not listed in CISA KEV, suggesting targeted rather than widespread exploitation risk.

Technical ContextAI

The node-ts-ocr NPM package is a TypeScript-based OCR (Optical Character Recognition) library for Node.js applications. This vulnerability stems from CWE-78 (OS Command Injection), where the invokeImageOcr function in src/index.js fails to properly sanitize user input before passing it to operating system command execution functions. In Node.js environments, this typically occurs through unsafe use of child_process.exec() or similar APIs that invoke system shells, allowing metacharacters in image file paths or OCR parameters to break out of intended command context and execute arbitrary commands. The affected CPE data is incomplete (cpe:2.3:a:n/a:n/a), but the NPM package reference confirms node-ts-ocr version 1.0.15 is the specific affected product.

RemediationAI

No vendor-released patch or updated version has been identified at the time of analysis. The node-ts-ocr NPM package repository should be monitored for security updates addressing this command injection vulnerability. As an immediate compensating control, implement strict input validation on all parameters passed to the invokeImageOcr function, specifically whitelisting allowed characters in file paths and rejecting any input containing shell metacharacters such as semicolons, pipes, backticks, dollar signs, or command substitution syntax. Deploy the application with principle of least privilege, ensuring the Node.js process runs under a restricted service account with minimal file system and network access to limit command injection impact. For high-risk environments, consider replacing node-ts-ocr with alternative OCR libraries that have active security maintenance or implement OCR processing in isolated sandboxed containers with no access to sensitive resources. Authentication boundaries should be strengthened to ensure only trusted users can trigger OCR operations, and application-level logging should capture all invocations of invokeImageOcr for forensic detection. Reference the proof-of-concept at https://gist.github.com/6en6ar/a2ac44da0f4e580190be3e66cfbb9a4a to understand the exact exploitation technique and test validation controls.

Share

CVE-2025-63705 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy