CVE-2019-10787
OS Command Injection in im-resize
9.8
CRITICAL
CVSS 3.1
EPSS 3.3%
Description
im-resize through 2.3.2 allows remote attackers to execute arbitrary commands via the "exec" argument. The cmd argument used within index.js, can be controlled by user without any sanitization.
How to fix CVE-2019-10787
No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.
- npm/im-resize—no fix listed
Is CVE-2019-10787 being exploited?
Low — EPSS is 3.3%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, <= 2.3.2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |