Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Blast Radius
ecosystem impact- 70 npm packages depend on textract (54 direct, 17 indirect)
Ecosystem-wide dependent count for version 2.5.0.
DescriptionCVE.org
textract through 2.5.0 is vulnerable to OS Command Injection via the file path parameter in multiple extractors. When processing files with malicious filenames, the filePath is passed directly to child_process.exec() in lib/extractors/doc.js, rtf.js, dxf.js, images.js, and lib/util.js with inadequate sanitization
AnalysisAI
The textract library through version 2.5.0 contains an OS command injection vulnerability in its file extraction modules that allows attackers to execute arbitrary operating system commands by crafting malicious filenames. The vulnerability affects multiple extractors (doc.js, rtf.js, dxf.js, images.js, and util.js) where user-supplied file paths are passed directly to child_process.exec() without adequate sanitization. An attacker can exploit this by uploading or referencing files with specially crafted names containing shell metacharacters, leading to complete system compromise with the privileges of the process running textract.
Technical ContextAI
The textract library is a Node.js package (available on npm) designed to extract text from various document formats including DOC, RTF, DXF, and image files. The vulnerability stems from unsafe usage of child_process.exec() in multiple extractor modules, which spawns a shell to execute system commands. Rather than using safer alternatives like child_process.execFile() with parameterized arguments, the code concatenates user-controlled file paths directly into shell command strings. This is a classic OS command injection vulnerability (CWE-78) where shell metacharacters in filenames (such as semicolons, pipes, or backticks) are interpreted by the shell rather than treated as literal filename characters. The affected modules include lib/extractors/doc.js, lib/extractors/rtf.js, lib/extractors/dxf.js, lib/extractors/images.js, and lib/util.js, indicating a systemic sanitization issue across the codebase.
RemediationAI
Immediately upgrade the textract library to a version newer than 2.5.0 if available, or discontinue use of the library until a patched version is released by the maintainers. Check the official GitHub repository (https://github.com/dbashford/textract) for security updates and patch releases. In the interim, implement compensating controls by sanitizing all filenames before passing them to textract by removing or escaping shell metacharacters (semicolons, pipes, backticks, dollar signs, ampersands, parentheses, and quotes), implementing strict input validation using allowlists of safe characters, running the textract process in a restricted container or sandbox with minimal filesystem and network access, and applying principle of least privilege so the Node.js process runs with the minimum necessary permissions. Consider using alternative text extraction libraries that handle shell command construction more safely, or submit a pull request to the textract repository with fixes that replace child_process.exec() calls with child_process.execFile() and proper argument parameterization.
Same weakness CWE-94 – Code Injection
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15459
GHSA-9pcj-m5rr-p28g