Thumbler OS Command Injection Vulnerability

A command injection vulnerability has been identified in the Thumbler package, specifically in version 1.1.2. The issue arises in the 'thumbnail()' function within 'lib/thumbler.js', where user input is improperly sanitized before being concatenated into a shell command. This command is then executed using 'child_process.exec()', allowing attackers to inject arbitrary commands that could be executed on the server.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the host system where Thumbler is running.

Reproduction

To reproduce this vulnerability, use the Thumbler package version 1.1.2 and call the 'thumbnail()' function. Pass a crafted 'input' parameter that includes shell command syntax, such as closing the current command string and adding a new command, like 'id > /tmp/pwned'. The injected command will be executed on the server, demonstrating the command injection vulnerability.

Remediation

As of March 24, 2026, no fixed version of Thumbler is available. Users are advised not to pass untrusted data into the 'thumbnail()' function, to replace string concatenation with safer methods of executing processes, and to consider switching to a different library or a maintained fork that addresses this vulnerability.