Command Injection in ffmpegdotjs
Critical severity
GitHub Reviewed
Published
May 6, 2021
to the GitHub Advisory Database
•
Updated Jan 27, 2023
Description
Published by the National Vulnerability Database
Apr 18, 2021
Reviewed
Apr 19, 2021
Published to the GitHub Advisory Database
May 6, 2021
Last updated
Jan 27, 2023
This affects all versions of package ffmpegdotjs. If attacker-controlled user input is given to the trimvideo function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.
References