Description
node-tesseract-ocr is an npm package that provides a Node.js wrapper for Tesseract OCR. In all versions through 2.2.1, the recognize() function in src/index.js is vulnerable to OS Command Injection. The file path parameter is concatenated into a shell command string and passed to child_process.exec() without proper sanitization
Published: 2026-03-25
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

Unvalidated file paths supplied to the recognize() function in the node-tesseract-ocr npm package are concatenated into a shell command string and passed to child_process.exec() without sanitization, creating an OS Command Injection flaw (CWE‑78). An attacker who can influence the file path argument could inject arbitrary shell commands, potentially gaining full control over the host running the Node.js application.

Affected Systems

All releases of node‑tesseract‑ocr up to and including version 2.2.1 contain the vulnerable code. Any Node.js application that imports this package and calls recognize()—for example, web services or scripts that process user‑supplied image files—is affected. The issue resides in the src/index.js file of the package.

Risk and Exploitability

The CVSS score of 9.8 marks this vulnerability as critical. The attack vector is inferred to be user‑controlled input via the file path parameter; any interface that accepts a file path, such as a web API or CLI, provides a potential exploitation path. Although EPSS data is not available and the vulnerability is not yet listed in the CISA KEV catalog, the straightforward exploitability and severe impact suggest a high likelihood of real‑world exploitation.

Generated by OpenCVE AI on March 25, 2026 at 20:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade node‑tesseract‑ocr to the latest release that removes the unsanitized exec usage (any version newer than 2.2.1).
  • If an upgrade is not feasible, validate and sanitize the file path argument before invoking recognize() to eliminate shell metacharacter influence.
  • Consider restricting the file path to a predefined safe directory or removing/disabling the recognize() function from public code paths.
  • Review server logs for abnormal child_process execution and apply monitoring to detect potential exploitation.

Generated by OpenCVE AI on March 25, 2026 at 20:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-8j44-735h-w4w2 node-tesseract-ocr is vulnerable to OS Command Injection through unsanitized recognize() function parameter
History

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Zapolnoch
Zapolnoch node-tesseract-ocr
Vendors & Products Zapolnoch
Zapolnoch node-tesseract-ocr

Wed, 25 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Title node‑tesseract‑ocr OS Command Injection via Unsanitized File Path

Wed, 25 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-78
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Description node-tesseract-ocr is an npm package that provides a Node.js wrapper for Tesseract OCR. In all versions through 2.2.1, the recognize() function in src/index.js is vulnerable to OS Command Injection. The file path parameter is concatenated into a shell command string and passed to child_process.exec() without proper sanitization
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AC:L/AV:N/A:H/C:H/I:H/PR:N/S:U/UI:N'}

Subscriptions

Zapolnoch Node-tesseract-ocr
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-25T17:52:56.510Z

Reserved: 2026-02-16T00:00:00.000Z

Link: CVE-2026-26832

cve-icon Vulnrichment

Updated: 2026-03-25T17:52:52.211Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T16:16:21.240

Modified: 2026-03-26T15:13:15.790

Link: CVE-2026-26832

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-26T11:51:33Z

Weaknesses