The pdf-image npm package contains a flaw where user‑controlled pdfFilePath values are directly interpolated into shell command strings via util.format() and executed with child_process.exec. Because the path is not properly validated, an attacker can append arbitrary shell commands, leading to the execution of any command with the privileges of the Node.js process. This vulnerability is classified as CWE‑94 and can compromise confidentiality, integrity, and availability of the host system.

All Node.js applications that depend on pdf‑image version 2.0.0 or earlier are affected, regardless of operating system or deployment environment. The issue resides entirely in the JavaScript library, so any project that accepts external PDF file paths and uses pdf‑image for image extraction is at risk. No vendor or OS is singled out in the CVE data.

The CVSS score of 9.8 indicates a high severity. With an EPSS score below 1 % the likelihood of automated exploitation is low, but the possible impact is catastrophic. Based on the description, it is inferred that a remote attacker can trigger the injection by providing a malicious pdfFilePath through web requests, file uploads, or inter‑process communication. Once executed, the attacker gains full control of the host with whatever privileges the Node.js process runs under. The vulnerability is not listed in the CISA KEV catalog, but its severity warrants top‑priority mitigation.