node-tesseract-ocr OS Command Injection Vulnerability

The node-tesseract-ocr npm package, a Node.js wrapper for Tesseract OCR, is vulnerable to OS command injection (CVE-2026-26832) in versions 2.2.1 and earlier. The vulnerability exists within the recognize() function located in src/index.js. The file path parameter, used to specify the image for OCR processing, is directly concatenated into a shell command string without proper sanitization. This unsanitized string is then passed to child_process.exec(), enabling attackers to inject arbitrary commands that are executed by the system. Exploitation can lead to complete system compromise, data exfiltration, or denial of service.

Attack Chain

1. An attacker crafts a malicious file path containing OS commands.
2. The attacker passes the malicious file path to the recognize() function within the node-tesseract-ocr package.
3. The recognize() function concatenates the attacker-controlled file path into a command string.
4. The command string, now containing injected OS commands, is passed to child_process.exec().
5. child_process.exec() executes the command string.
6. The injected OS commands are executed by the system with the privileges of the Node.js process.
7. The attacker gains arbitrary code execution on the target system.
8. The attacker can then perform actions such as installing malware, creating new user accounts, or exfiltrating sensitive data.

Impact

Successful exploitation of this vulnerability allows an attacker to execute arbitrary commands on the server hosting the Node.js application. This can lead to complete system compromise, potentially impacting all data and services hosted on the compromised server. The severity is heightened because the vulnerability is remotely exploitable and requires no user interaction. Systems using affected versions of node-tesseract-ocr are at high risk.

Recommendation

• Upgrade the node-tesseract-ocr package to a patched version that addresses CVE-2026-26832 if available.
• Implement strict input validation and sanitization for the file path parameter passed to the recognize() function, mitigating command injection attempts.
• Monitor process creation events for unusual processes spawned by Node.js (node.exe or node) to detect potential exploitation using the provided Sigma rule.
• Review and audit all uses of child_process.exec() within Node.js applications to identify and remediate other potential command injection vulnerabilities.