CVE-2021-23376: Command Injection in ffmpegdotjs
9.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.68852%
CWE
Published
5/6/2021
Updated
1/27/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
ffmpegdotjs | npm | <= 0.0.4 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability documentation explicitly identifies trimvideo
as the entry point, and the code shows direct interpolation of user-controlled parameters (start
, duration
, output
) into an exec()
call without sanitization. The provided PoC demonstrates successful exploitation through the output
parameter. While other functions in index.js
also use exec()
, only trimvideo
is explicitly confirmed vulnerable through advisory details and reproduction evidence.