node-tesseract-ocr OS Command Injection Vulnerability

A command injection vulnerability has been identified in the 'node-tesseract-ocr' npm package, which serves as a Node.js wrapper for Tesseract OCR. This vulnerability exists in all versions up to and including 2.2.1. The issue arises in the 'recognize()' function within 'src/index.js', where the file path parameter is improperly sanitized before being concatenated into a shell command. This command is then executed using 'child_process.exec()', allowing for potential OS command injection.

Impact

Exploitation of this vulnerability allows for arbitrary OS command execution on the host system where the vulnerable package is used.

Reproduction

To reproduce this vulnerability, use the 'recognize()' function of the 'node-tesseract-ocr' package with a crafted file path that includes shell command syntax. The injected commands will be executed on the server, demonstrating the command injection flaw.

Remediation

As of March 24, 2026, no fixed version is available. Users are advised to treat input paths as untrusted, avoid building command strings with 'join(" ")', and use 'execFile()' or 'spawn()' with explicit arguments instead. Alternatively, consider moving to a maintained wrapper or safely calling Tesseract from custom code.