-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe critical vulnerability stems from using child_process.exec() with user-controllable input. The pre-patch code constructed a command string by concatenating arguments (like -l and --psm options) without proper sanitization, then passed it to exec(). This pattern is a classic command injection vector (CWE-77). The patch explicitly replaces exec() with execFile() and modifies argument handling to use an array format, which prevents shell interpretation of malicious payloads. The commit message 'exec() to execFile()' and CWE-77 classification confirm this was the root cause.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| dawnsparks-node-tesseract | npm | < 0.4.1 | 0.4.1 |
A Semantic Attack on Google Gemini - Read the Latest Research