Node-ts-ocr OS Command Injection Vulnerability

A command injection vulnerability has been identified in the NPM package node-ts-ocr, specifically in version 1.0.15. The issue arises in the invokeImageOcr function within src/index.js, where the imagePath variable is not properly sanitized. This lack of validation allows attackers to inject arbitrary commands that are executed using the child_process module. The vulnerability can be exploited by providing a crafted image path that includes command injection payloads, which are then executed on the server.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the server where the affected package is used.

Reproduction

To reproduce this vulnerability, import the Ocr class from the node-ts-ocr package and call the invokeImageOcr function with a crafted file name that includes command injection payloads, such as 'image.tiff; id; '. The injected command will be executed on the server, demonstrating the command injection vulnerability.