GHSA-GJX4-2C7G-FM94

Vulnerability from github – Published: 2025-08-19 20:17 – Updated: 2025-08-19 20:17
VLAI?
Summary
screenshot-desktop vulnerable to command Injection via `format` option
Details

Impact

This vulnerability is a command injection issue.
When user-controlled input is passed into the format option of the screenshot function, it is interpolated into a shell command without sanitization.
An attacker can craft malicious input such as:

{ format: "; echo vulnerable > /tmp/hello;" }

This results in arbitrary command execution with the privileges of the calling process.

Who is impacted:
Any application that accepts untrusted input and forwards it directly (or indirectly) into the format option is affected. If the library is used in a server-side context (e.g., API endpoints, web services), attackers may be able to exploit this remotely and without authentication, leading to full compromise of confidentiality, integrity, and availability.

CVSS v3.1 Base Score: 9.8 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Patches

The issue has been patched in version 1.15.2.
All users are strongly recommended to upgrade to 1.15.2 or later.
All earlier versions are vulnerable.

Workarounds

If upgrading is not immediately possible, developers should: - Strictly validate or whitelist acceptable format values (e.g., "jpeg", "png", "webp"). - Reject or sanitize any unexpected input before passing it to the library. - Avoid allowing user-controlled data to reach the format option.

References

Severity ?
9.8 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "screenshot-desktop"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.15.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-55294"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-77"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-08-19T20:17:45Z",
    "nvd_published_at": "2025-08-19T18:15:29Z",
    "severity": "CRITICAL"
  },
  "details": "## Impact\nThis vulnerability is a **command injection** issue.  \nWhen user-controlled input is passed into the `format` option of the screenshot function, it is interpolated into a shell command without sanitization.  \nAn attacker can craft malicious input such as:\n\n    { format: \"; echo vulnerable \u003e /tmp/hello;\" }\n\nThis results in arbitrary command execution with the privileges of the calling process.\n\n**Who is impacted:**  \nAny application that accepts untrusted input and forwards it directly (or indirectly) into the `format` option is affected. If the library is used in a server-side context (e.g., API endpoints, web services), attackers may be able to exploit this **remotely and without authentication**, leading to full compromise of confidentiality, integrity, and availability.\n\n**CVSS v3.1 Base Score:** 9.8 (Critical)  \n`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`\n\n\n## Patches\nThe issue has been patched in **version 1.15.2**.  \nAll users are strongly recommended to upgrade to **1.15.2 or later**.  \nAll earlier versions are vulnerable.\n\n\n\n## Workarounds\nIf upgrading is not immediately possible, developers should:\n- **Strictly validate or whitelist** acceptable `format` values (e.g., `\"jpeg\"`, `\"png\"`, `\"webp\"`).\n- **Reject or sanitize** any unexpected input before passing it to the library.\n- Avoid allowing user-controlled data to reach the `format` option.\n\n\n\n## References\n- [CWE-78: OS Command Injection](https://cwe.mitre.org/data/definitions/78.html)  \n- [OWASP: Command Injection](https://owasp.org/www-community/attacks/Command_Injection)",
  "id": "GHSA-gjx4-2c7g-fm94",
  "modified": "2025-08-19T20:17:45Z",
  "published": "2025-08-19T20:17:45Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/bencevans/screenshot-desktop/security/advisories/GHSA-gjx4-2c7g-fm94"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55294"
    },
    {
      "type": "WEB",
      "url": "https://github.com/bencevans/screenshot-desktop/commit/59c87b0c175eec76090e6ccde313f4fc5d569b78"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/bencevans/screenshot-desktop"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "screenshot-desktop vulnerable to command Injection via `format` option"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.