EUVD-2026-15461
GHSA-8j44-735h-w4w2
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Tags
Description
node-tesseract-ocr is an npm package that provides a Node.js wrapper for Tesseract OCR. In all versions through 2.2.1, the recognize() function in src/index.js is vulnerable to OS Command Injection. The file path parameter is concatenated into a shell command string and passed to child_process.exec() without proper sanitization
Analysis
The node-tesseract-ocr npm package versions through 2.2.1 contains a critical OS command injection vulnerability in the recognize() function where file path parameters are concatenated into shell commands without sanitization before being passed to child_process.exec(). Attackers can achieve complete remote code execution with no authentication required. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all applications and services using node-tesseract-ocr through dependency scanning and create an inventory of affected systems; isolate or restrict network access to affected applications if feasible. Within 7 days: Evaluate alternative OCR libraries without known vulnerabilities and begin migration planning; implement network segmentation to limit lateral movement from compromised systems. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today