Description
textract through 2.5.0 is vulnerable to OS Command Injection via the file path parameter in multiple extractors. When processing files with malicious filenames, the filePath is passed directly to child_process.exec() in lib/extractors/doc.js, rtf.js, dxf.js, images.js, and lib/util.js with inadequate sanitization
Published: 2026-03-25
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability occurs in the textract library version 2.5.0 and earlier because the filePath parameter supplied to various extractors is passed directly to child_process.exec without sanitization. This allows an attacker to inject arbitrary operating system commands, potentially leading to remote code execution. The weakness maps to CWE-78: OS Command Injection and CWE-94: Improper Syntax Handling. The attacker could take control of the system running the library if a malicious filename is processed.

Affected Systems

The vulnerability affects the open‑source npm package textract, versions up to and including 2.5.0. Applications built with Node.js that depend on this package are at risk. No other vendors or products are listed. The supporting CPE indicates a Node.js environment. Any project using textract < 2.5.0 for document, RTF, DXF, or image extraction is impacted.

Risk and Exploitability

The CVSS score of 9.8 indicates critical severity. The EPSS score is below 1%, suggesting that exploitation is currently uncommon. The issue is not present in CISA’s Known Exploited Vulnerabilities catalog. Because the attacker must supply a crafted file name that reaches the child_process.exec call, the attack vector is execution of arbitrary commands on the host where the application runs. If an application exposes textract to untrusted input, an attacker could trigger compromised system behavior.

Generated by OpenCVE AI on March 30, 2026 at 14:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest textract release (v2.5.1 or newer) which removes unsanitized filePath usage.
  • If upgrading is not immediately possible, ensure that any file paths passed to textract are strictly validated to contain only safe characters and that no user‑supplied file names reach the exec call.
  • Consider switching to safer extraction mechanisms or replacing textract with a library that does not use child_process.exec for handling file paths.
  • Monitor the project repository for further updates or security advisories.

Generated by OpenCVE AI on March 30, 2026 at 14:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-9pcj-m5rr-p28g textract is vulnerable to OS Command Injection
History

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
Title OS Command Injection in textract via Untrusted File Names

Mon, 30 Mar 2026 13:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-78
CPEs cpe:2.3:a:dbashford:textract:*:*:*:*:*:node.js:*:*

Sun, 29 Mar 2026 20:45:00 +0000

Type Values Removed Values Added
Title OS Command Injection in textract via Untrusted File Names

Sat, 28 Mar 2026 03:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-94
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Title OS Command Injection in textract via unsanitized file path
Weaknesses CWE-78

Fri, 27 Mar 2026 09:30:00 +0000

Type Values Removed Values Added
Title OS Command Injection in textract via unsanitized file path
Weaknesses CWE-78

Thu, 26 Mar 2026 12:30:00 +0000

Type Values Removed Values Added
Title OS Command Injection via Malicious File Paths in textract Package
Weaknesses CWE-20
CWE-78

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Dbashford
Dbashford textract
Vendors & Products Dbashford
Dbashford textract

Wed, 25 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Title OS Command Injection via Malicious File Paths in textract Package
Weaknesses CWE-20
CWE-78

Wed, 25 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Description textract through 2.5.0 is vulnerable to OS Command Injection via the file path parameter in multiple extractors. When processing files with malicious filenames, the filePath is passed directly to child_process.exec() in lib/extractors/doc.js, rtf.js, dxf.js, images.js, and lib/util.js with inadequate sanitization
References

Subscriptions

Dbashford Textract
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-28T01:12:59.787Z

Reserved: 2026-02-16T00:00:00.000Z

Link: CVE-2026-26831

cve-icon Vulnrichment

Updated: 2026-03-28T01:12:42.439Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-25T16:16:21.123

Modified: 2026-03-30T13:33:41.273

Link: CVE-2026-26831

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T20:58:03Z

Weaknesses