Skip to content

exiftool-vendored vulnerable to argument injection via newline characters in tag names

High severity GitHub Reviewed Published Apr 25, 2026 in photostructure/exiftool-vendored.js • Updated May 13, 2026

Package

npm exiftool-vendored (npm)

Affected versions

<= 35.18.0

Patched versions

35.19.0

Description

Impact

exiftool-vendored starts ExifTool in -stay_open True -@ - mode, where arguments are read from stdin one per line. In affected versions, several caller-supplied strings were interpolated into ExifTool arguments without rejecting line delimiters. A newline or carriage return inside one of those strings could split a single intended argument into multiple ExifTool arguments, allowing argument injection. The fix also rejects NUL bytes as unsafe control characters.

Applications that pass attacker-controlled strings to affected APIs may allow an attacker to make ExifTool read files accessible to the ExifTool process, or write output to attacker-chosen file system paths accessible to that process. No remote code execution has been demonstrated.

The reported write-path issue is caused by unsanitized tag keys. Tag values passed to ExifTool#write are not affected, because WriteTask already encodes whitespace characters in values (e.g. \n -> &#10;) before transmission.

Confirmed affected inputs:

  • Tag-name arguments / tag keys — keys of the tags object passed to ExifTool#write; entries of the retain option to ExifTool#deleteAllTags; entries of the numericTags option to ExifTool#read; the tagname argument to ExifTool#extractBinaryTag and #extractBinaryTagToBuffer.
  • Filename / path arguments to ExifTool#write, #read, #readRaw, #deleteAllTags, #rewriteAllTags, #extractBinaryTag, #extractBinaryTagToBuffer, and the binary-extraction convenience methods #extractJpgFromRaw, #extractPreview, and #extractThumbnail. path.resolve() does not strip newlines, so an application that accepts attacker-controlled filenames containing newline characters was vulnerable.
  • The imageHashType option to ExifTool#read. TypeScript types restrict this to a literal union, but JS callers or callers with weakened type checking could reach the sink.

Applications that only pass hardcoded strings for tag names, options, and filenames are not affected.

Patches

Fixed in v35.19.0. Two layers of defense:

  1. Per-site input validation. A new validateTagName helper rejects any tag-name string containing characters outside the ExifTool tag grammar (letters, digits, :, -, _, and the ExifTool modifiers *, ?, +, #). Applied at every tag-name interpolation site.
  2. Defense-in-depth at the command renderer. ExifToolTask.renderCommand now rejects any argument containing \r, \n, or \0 before it is sent to the ExifTool process. This catches injection via filename arguments, option values, and any future interpolation site that forgets the per-site validator.

Workarounds

Upgrade to v35.19.0 or later.

If upgrading immediately is not possible, reject untrusted strings containing control characters before passing them to the affected APIs. Conservative guard:

function assertSafeForExifTool(s: string): void {
  if (typeof s !== "string" || /[\x00-\x20=<>]/.test(s)) {
    throw new Error("Rejected unsafe string for ExifTool");
  }
}

Apply to tag names, retain / numericTags entries, binary-extraction tag names, filenames, and the imageHashType option. This is a denylist and is strictly weaker than the library's internal validator; it is sufficient to block the known PoCs but will accept strings that the library itself now rejects.

Resources

Credit

  • Reporter: Hank Tam
  • Affiliation: Independent

References

@mceachen mceachen published to photostructure/exiftool-vendored.js Apr 25, 2026
Published to the GitHub Advisory Database May 5, 2026
Reviewed May 5, 2026
Published by the National Vulnerability Database May 11, 2026
Last updated May 13, 2026

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

EPSS score

Exploit Prediction Scoring System (EPSS)

This score estimates the probability of this vulnerability being exploited within the next 30 days. Data provided by FIRST.
(36th percentile)

Weaknesses

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string. Learn more on MITRE.

CVE ID

CVE-2026-43893

GHSA ID

GHSA-cw26-7653-2rp5

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.