Skip to main content

node-ts-ocr CVE-2025-63705

| EUVDEUVD-2025-209722 HIGH
OS Command Injection (CWE-78)
2026-05-07 mitre GHSA-8jh2-3mw6-6pfm
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 08, 2026 - 19:30 vuln.today
CVSS changed
May 08, 2026 - 17:22 NVD
8.8 (HIGH)
CVE Published
May 07, 2026 - 00:00 nvd
UNKNOWN (no severity yet)
CVE Published
May 07, 2026 - 00:00 nvd
HIGH 8.8

DescriptionCVE.org

NPM package node-ts-ocr 1.0.15 is vulnerable to OS Command Injection via the invokeImageOcr function in src/index.js.

AnalysisAI

Command injection in node-ts-ocr 1.0.15 enables authenticated attackers to execute arbitrary operating system commands through the invokeImageOcr function. The vulnerability requires low-complexity exploitation with no user interaction, allowing complete compromise of confidentiality, integrity, and availability on affected systems. Public proof-of-concept code exists (GitHub Gist), though EPSS assessment indicates 0.04% probability of active exploitation within 30 days and the vulnerability is not listed in CISA KEV, suggesting targeted rather than widespread exploitation risk.

Technical ContextAI

The node-ts-ocr NPM package is a TypeScript-based OCR (Optical Character Recognition) library for Node.js applications. This vulnerability stems from CWE-78 (OS Command Injection), where the invokeImageOcr function in src/index.js fails to properly sanitize user input before passing it to operating system command execution functions. In Node.js environments, this typically occurs through unsafe use of child_process.exec() or similar APIs that invoke system shells, allowing metacharacters in image file paths or OCR parameters to break out of intended command context and execute arbitrary commands. The affected CPE data is incomplete (cpe:2.3:a:n/a:n/a), but the NPM package reference confirms node-ts-ocr version 1.0.15 is the specific affected product.

RemediationAI

No vendor-released patch or updated version has been identified at the time of analysis. The node-ts-ocr NPM package repository should be monitored for security updates addressing this command injection vulnerability. As an immediate compensating control, implement strict input validation on all parameters passed to the invokeImageOcr function, specifically whitelisting allowed characters in file paths and rejecting any input containing shell metacharacters such as semicolons, pipes, backticks, dollar signs, or command substitution syntax. Deploy the application with principle of least privilege, ensuring the Node.js process runs under a restricted service account with minimal file system and network access to limit command injection impact. For high-risk environments, consider replacing node-ts-ocr with alternative OCR libraries that have active security maintenance or implement OCR processing in isolated sandboxed containers with no access to sensitive resources. Authentication boundaries should be strengthened to ensure only trusted users can trigger OCR operations, and application-level logging should capture all invocations of invokeImageOcr for forensic detection. Reference the proof-of-concept at https://gist.github.com/6en6ar/a2ac44da0f4e580190be3e66cfbb9a4a to understand the exact exploitation technique and test validation controls.

CVE-2024-55591 CRITICAL POC
9.8 Jan 14

FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote

CVE-2014-7205 CRITICAL POC
10.0 Oct 08

Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t

CVE-2025-59528 CRITICAL POC
10.0 Sep 22

Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete

CVE-2017-14849 HIGH POC
7.5 Sep 28

Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc

CVE-2017-5941 CRITICAL POC
9.8 Feb 09

An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner

CVE-2014-3744 HIGH POC
7.5 Oct 23

Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi

CVE-2014-9566 HIGH POC
7.5 Mar 10

Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin

CVE-2013-4660 MEDIUM POC
6.8 Jun 28

The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic

CVE-2015-5688 MEDIUM POC
5.0 Sep 04

Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2014-7192 CRITICAL POC
10.0 Dec 11

Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat

CVE-2013-4450 MEDIUM POC
5.0 Oct 21

The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se

Share

CVE-2025-63705 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy