CVE-2025-63705
OS Command Injection in node-ts-ocr NPM Package
Publication date: 2026-05-07
Last updated on: 2026-05-07
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The CVE-2025-63705 vulnerability is an OS Command Injection flaw found in the NPM package node-ts-ocr, specifically in version 1.0.15 and earlier. It occurs in the invokeImageOcr function located in src/index.js. The problem arises because the imagePath variable is not properly sanitized before being used in a system command executed via child_process. This allows an attacker to inject malicious commands by crafting a special input string that gets appended to the command executed by the tesseract OCR tool. As a result, the injected commands run with the same privileges as the application using the package.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to execute arbitrary operating system commands on the server or environment where the vulnerable node-ts-ocr package is used. Since the injected commands run with the privileges of the running process, this can lead to unauthorized access, data theft, system compromise, or disruption of services. Applications using this package for OCR tasks are at risk if they process untrusted input without proper validation.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your system or application is using the node-ts-ocr package version 1.0.15 or earlier. Specifically, you should verify if the invokeImageOcr function in src/index.js is present and if it uses unsanitized input for the imagePath variable in commands executed via child_process.
To detect exploitation attempts or presence of this vulnerability, you can look for suspicious command executions involving the tesseract tool with unusual appended commands.
- Search your project dependencies for node-ts-ocr version 1.0.15 or earlier: `npm list node-ts-ocr`
- Inspect the src/index.js file for the invokeImageOcr function and check if imagePath input is sanitized.
- Monitor running processes or logs for commands invoking tesseract with suspicious parameters, for example by using: `ps aux | grep tesseract` or checking application logs for command injection patterns like `; id;`.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, you should avoid using the vulnerable node-ts-ocr package version 1.0.15 or earlier.
If an update or patch is available, upgrade to a fixed version that properly sanitizes the imagePath input before passing it to child_process commands.
As a temporary workaround, sanitize or validate any input passed to the invokeImageOcr function to ensure it does not contain command injection payloads.
Additionally, run the application with the least privileges necessary to limit the impact of any potential command injection.