ExifTool-Vendored Argument Injection Vulnerability

A vulnerability allowing argument injection has been identified in ExifTool-Vendored versions prior to 35.19.0. The issue arises because the application interpolates user-supplied strings into ExifTool arguments without properly sanitizing them, allowing newline or carriage return characters to split a single argument into multiple ones. This vulnerability could be exploited by applications that pass attacker-controlled strings to certain ExifTool APIs, potentially allowing an attacker to manipulate file reading or writing operations. The vulnerability has been fixed in version 35.19.0.

Impact

Exploitation of this vulnerability could lead to unauthorized manipulation of ExifTool's file reading or writing operations, allowing an attacker to access or modify files through paths accessible to the ExifTool process.

Remediation

Users are advised to upgrade to ExifTool-Vendored version 35.19.0 or later. If an immediate upgrade is not possible, untrusted strings containing control characters should be rejected before being passed to the affected ExifTool APIs. This can be done using a simple TypeScript function that checks for unsafe characters.