pdf-image OS Command Injection Vulnerability

A command injection vulnerability has been identified in the pdf-image npm package, affecting all versions through 2.0.0. The issue arises in the index.js file, where user-controlled file paths are interpolated into shell command strings using util.format(). These commands are then executed with child_process.exec(), allowing for arbitrary command execution on the host system.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the host system where the vulnerable pdf-image package is used.

Reproduction

To reproduce this vulnerability, create a PDF file and use the pdf-image package to convert it. Pass a file path that includes shell metacharacters into the PDFImage constructor. When the getInfo() or convertPage() method is called, the injected command will be executed, leading to command execution on the host system.

Remediation

No fixed version is available as of March 24, 2026. Users are advised to stop passing untrusted file paths into the PDFImage constructor, replace unsafe command execution with argument-safe methods like execFile() or spawn() with an array, and consider using a maintained alternative or a private fork with a fix.