Description
exiftool-vendored provides cross-platform Node.js access to ExifTool. Prior to 35.19.0, exiftool-vendored starts ExifTool in -stay_open True -@ - mode, where arguments are read from stdin one per line. In affected versions, several caller-supplied strings were interpolated into ExifTool arguments without rejecting line delimiters. A newline or carriage return inside one of those strings could split a single intended argument into multiple ExifTool arguments, allowing argument injection. The fix also rejects NUL bytes as unsafe control characters. Applications that pass attacker-controlled strings to affected APIs may allow an attacker to make ExifTool read files accessible to the ExifTool process, or write output to attacker-chosen file system paths accessible to that process. No remote code execution has been demonstrated. This vulnerability is fixed in 35.19.0.
Published: 2026-05-11
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

exiftool‑vendored allows attacker‑controlled strings with newline or carriage return characters to be interpolated into ExifTool arguments. The newline splits a single intended argument into multiple ExifTool arguments, enabling argument injection. Although no remote code execution has been demonstrated, an attacker can cause ExifTool to read files or write output to arbitrary filesystem paths that are accessible to the ExifTool process, potentially exposing sensitive data or overwriting files.

Affected Systems

The vulnerability exists in version 35.18.0 and earlier of the photostructure exiftool‑vendored.js package. Any Node.js application that imports this package and passes user‑supplied strings to its exposed APIs, such as tag manipulation functions, is affected.

Risk and Exploitability

The CVSS score of 8.2 indicates high severity, but the EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred as local or embedded data passing; an attacker must supply crafted input that reaches the vulnerable API. If the application runs with elevated privileges, the resulting improper file access could lead to confidentiality or integrity compromise.

Generated by OpenCVE AI on May 11, 2026 at 22:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the exiftool‑vendored package to version 35.19.0 or newer.
  • Ensure that all strings passed to exiftool‑vendored APIs are sanitized or validated to reject newline, carriage return and NUL characters before use.
  • If an upgrade is not immediately possible, implement input filtering at the application level to strip line delimiters and NUL bytes from user data before calling the exiftool‑vendored functions.

Generated by OpenCVE AI on May 11, 2026 at 22:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-cw26-7653-2rp5 exiftool-vendored vulnerable to argument injection via newline characters in tag names
History

Tue, 12 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 12 May 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Photostructure
Photostructure exiftool-vendored.js
Vendors & Products Photostructure
Photostructure exiftool-vendored.js

Mon, 11 May 2026 21:30:00 +0000

Type Values Removed Values Added
Description exiftool-vendored provides cross-platform Node.js access to ExifTool. Prior to 35.19.0, exiftool-vendored starts ExifTool in -stay_open True -@ - mode, where arguments are read from stdin one per line. In affected versions, several caller-supplied strings were interpolated into ExifTool arguments without rejecting line delimiters. A newline or carriage return inside one of those strings could split a single intended argument into multiple ExifTool arguments, allowing argument injection. The fix also rejects NUL bytes as unsafe control characters. Applications that pass attacker-controlled strings to affected APIs may allow an attacker to make ExifTool read files accessible to the ExifTool process, or write output to attacker-chosen file system paths accessible to that process. No remote code execution has been demonstrated. This vulnerability is fixed in 35.19.0.
Title exiftool-vendored: Argument injection via newline characters in tag names
Weaknesses CWE-88
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N'}

Subscriptions

Photostructure Exiftool-vendored.js
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-12T12:54:40.823Z

Reserved: 2026-05-04T15:17:09.330Z

Link: CVE-2026-43893

cve-icon Vulnrichment

Updated: 2026-05-12T12:54:37.489Z

cve-icon NVD

Status : Received

Published: 2026-05-11T22:22:14.033

Modified: 2026-05-11T22:22:14.033

Link: CVE-2026-43893

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T09:22:21Z

Weaknesses