Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Blast Radius
ecosystem impact- 2 npm packages depend on thumbler (2 direct, 0 indirect)
Ecosystem-wide dependent count for version 1.1.2.
DescriptionCVE.org
thumbler through 1.1.2 allows OS command injection via the input, output, time, or size parameter in the thumbnail() function because user input is concatenated into a shell command string passed to child_process.exec() without proper sanitization or escaping.
AnalysisAI
Thumbler through version 1.1.2 contains an OS command injection vulnerability in the thumbnail() function where user-supplied input from the input, output, time, or size parameters is directly concatenated into shell commands executed via Node.js child_process.exec() without sanitization or escaping. This allows unauthenticated attackers to execute arbitrary operating system commands with the privileges of the application process. A proof-of-concept has been documented in public repositories, making this vulnerability immediately actionable for exploitation.
Technical ContextAI
Thumbler is a Node.js image thumbnail generation library distributed via npm (https://www.npmjs.com/package/thumbler). The vulnerability exists in the core thumbnail() function located in lib/thumbler.js, where user-controlled parameters are passed directly to child_process.exec(), a synchronous command execution method that invokes a shell to parse and execute the command string. This is a classic command injection vulnerability (CWE-78: Improper Neutralization of Special Elements used in an OS Command) where metacharacters like backticks, semicolons, pipes, and command substitution syntax ($()) are not filtered or escaped before shell execution. The affected CPE is cpe:2.3:a:n/a:n/a:*:*:*:*:*:*:*:* based on available metadata, though the package is clearly identified as 'thumbler' on npm. Any application using thumbler to generate thumbnails from user-supplied image paths, dimensions, or metadata is vulnerable if that input reaches the affected parameters.
RemediationAI
Immediately upgrade thumbler to a version newer than 1.1.2 by updating package.json and running npm update thumbler. Contact the thumbler maintainers (mmahrous) at https://github.com/mmahrous/thumbler to obtain or confirm the availability of a patched release that properly sanitizes or escapes all user-supplied parameters before passing them to child_process.exec(). As an interim mitigation, if upgrading is not immediately possible, refactor code to avoid passing user-controlled input directly to the thumbnail() function, or implement strict input validation that whitelists only alphanumeric characters and safe file path components. Consider replacing thumbler with an alternative image processing library that uses programmatic APIs (such as Sharp or ImageMagick bindings) instead of shell command concatenation. Additionally, run the application with minimal process privileges and use containerization with restricted filesystem and capability settings to limit blast radius if exploitation occurs.
Same weakness CWE-94 – Code Injection
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15463
GHSA-mvhf-547c-h55r