What the vulnerability does

01Description

Input passed to the Pdf() function is shell escaped and passed to child_process.exec() during PDF rendering. However, the shell escape does not properly encode all special characters, namely, semicolon and curly braces. This can be abused to achieve command execution. This problem affects nodepdf 1.3.0.

Key dates

02Disclosure timeline

July 28, 2022 CVE published
August 6, 2024 Record updated