CVE-2016-4991
Published: 28 July 2022
Summary
CVE-2016-4991 is a critical-severity Command Injection (CWE-77) vulnerability in Nodepdf Project Nodepdf. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 19.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2016-5957
Vulnerability details
Input passed to the Pdf() function is shell escaped and passed to child_process.exec() during PDF rendering. However, the shell escape does not properly encode all special characters, namely, semicolon and curly braces. This can be abused to achieve command execution.…
more
This problem affects nodepdf 1.3.0.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.