Impact
thumbler, a Node.js library that produces image thumbnails, has an OS command injection flaw in its thumbnail() function. The library concatenates user-controlled parameters such as input, output, time, or size directly into a shell command string that is executed via child_process.exec() without any sanitization or escaping. This results in a classic OS Command Injection vulnerability (CWE‑78) and also allows JavaScript code injection (CWE‑94). An attacker who can influence these API arguments can execute arbitrary shell commands on the host system with the privileges of the Node.js process, compromising confidentiality, integrity, and availability.
Affected Systems
Vulnerable releases of thumbler up to version 1.1.2 are affected. The npm package thumbler is maintained by the user mmahrous and distributed under the npm registry. Any Node.js application that imports thumbler and calls the thumbnail() API with unsanitized arguments is at risk. External codebases that embed this library, regardless of the surrounding application, may be impacted if they expose user input to the thumbnail() parameters.
Risk and Exploitability
The CVSS base score of 9.8 classifies this vulnerability as Critical, and the EPSS score of 2 % indicates that exploitation is reasonably likely in the wild. Although it has not yet been listed in CISA’s KEV catalog, the high severity and the ease of triggering via exposed APIs suggest a strong attack surface. An attacker can trigger the flaw simply by supplying crafted values to the thumbnail() function, leading to remote code execution with the privileges of the Node.js process.
OpenCVE Enrichment
Github GHSA