Affected versions of this package are vulnerable to Command Injection. The issue occurs in the
image.stream functions. The
type parameter is used to build the command that is then executed using
child_process.spawn. The issue occurs because
child_process.spawn is called with the option
shell set to
true and because the
type parameter is not properly sanitized.
const total = require('total.js'); let image = Image.load(""); let payload = ";touch HACKED;"; image.stream(payload); // image.pipe(null, payload);
total.js to version 3.4.7 or higher.