Description
NPM package node-ts-ocr 1.0.15 is vulnerable to OS Command Injection via the invokeImageOcr function in src/index.js.
Published: 2026-05-07
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability occurs in the node-ts-ocr NPM package, version 1.0.15, where the invokeImageOcr function fails to properly validate input used in a shell command, allowing an attacker to inject arbitrary OS commands. Successful exploitation could result in remote code execution, compromising the confidentiality, integrity, and availability of the systems running the application.

Affected Systems

Any application that depends on node-ts-ocr 1.0.15 is affected. No specific operating system is mentioned, so the impact applies wherever the package is deployed, including Node.js environments that run the vulnerable code.

Risk and Exploitability

The CVE does not list a CVSS score or EPSS. The vulnerability is not listed in CISA KEV. OS command injection is a high‑risk flaw; an attacker with access to the invokeImageOcr API could execute arbitrary commands. The lack of official remediation data suggests the risk remains significant until a patch or alternative solution is applied.

Generated by OpenCVE AI on May 7, 2026 at 15:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a later, fixed version of node-ts-ocr if available, or replace it with a secure OCR library.
  • Verify that any arguments passed to invokeImageOcr are strictly validated and sanitized; avoid passing unsanitized data from untrusted sources.
  • Run the application with the least privileges necessary and, if possible, isolate the OCR processing in a sandboxed environment to limit damage if the vulnerability is exploited.

Generated by OpenCVE AI on May 7, 2026 at 15:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Node Ts Ocr
Node Ts Ocr node Ts Ocr
Vendors & Products Node Ts Ocr
Node Ts Ocr node Ts Ocr

Thu, 07 May 2026 15:30:00 +0000

Type Values Removed Values Added
Title OS Command Injection in node-ts-ocr 1.0.15
Weaknesses CWE-78

Thu, 07 May 2026 14:30:00 +0000

Type Values Removed Values Added
Description NPM package node-ts-ocr 1.0.15 is vulnerable to OS Command Injection via the invokeImageOcr function in src/index.js.
References

Subscriptions

Node Ts Ocr Node Ts Ocr
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-07T14:09:28.578Z

Reserved: 2025-10-27T00:00:00.000Z

Link: CVE-2025-63705

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-07T15:16:04.213

Modified: 2026-05-07T15:51:19.043

Link: CVE-2025-63705

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T21:25:20Z

Weaknesses