{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/exiftool-vendored--35.18.0/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["exiftool-vendored (\u003c= 35.18.0)"],"_cs_severities":["high"],"_cs_tags":["argument-injection","exiftool","cve-2026-43893"],"_cs_type":"advisory","_cs_vendors":["npm"],"content_html":"\u003cp\u003eThe \u003ccode\u003eexiftool-vendored\u003c/code\u003e npm package, versions 35.18.0 and earlier, contains an argument injection vulnerability (CVE-2026-43893) stemming from insufficient sanitization of tag names and filenames. The package starts ExifTool in \u003ccode\u003e-stay_open True -@ -\u003c/code\u003e mode, reading arguments from stdin.  Attackers can inject arbitrary ExifTool arguments by including newline characters in tag names, filenames, or the \u003ccode\u003eimageHashType\u003c/code\u003e option passed to affected APIs. This can lead to unauthorized file access or modification within the ExifTool process\u0026rsquo;s permissions. Applications using \u003ccode\u003eexiftool-vendored\u003c/code\u003e and passing attacker-controlled strings to vulnerable APIs are susceptible. The vulnerability was patched in version 35.19.0.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious input string containing newline characters, targeting a tag name or filename parameter.\u003c/li\u003e\n\u003cli\u003eThe attacker-controlled string is passed to a vulnerable \u003ccode\u003eexiftool-vendored\u003c/code\u003e API, such as \u003ccode\u003eExifTool#write\u003c/code\u003e, \u003ccode\u003e#read\u003c/code\u003e, or \u003ccode\u003e#deleteAllTags\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe newline characters split the intended argument into multiple arguments when ExifTool processes the command.\u003c/li\u003e\n\u003cli\u003eThe injected arguments could cause ExifTool to read arbitrary files accessible to the ExifTool process.\u003c/li\u003e\n\u003cli\u003eAlternatively, the injected arguments could cause ExifTool to write to attacker-controlled file paths accessible to the ExifTool process.\u003c/li\u003e\n\u003cli\u003eSensitive information is read from arbitrary files.\u003c/li\u003e\n\u003cli\u003eFiles are modified or overwritten.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves unauthorized data access or system modification, depending on the application\u0026rsquo;s usage of ExifTool.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-43893 could allow attackers to read sensitive files or overwrite existing files on systems where \u003ccode\u003eexiftool-vendored\u003c/code\u003e is used.  The impact is dependent on the application\u0026rsquo;s file system access permissions and its usage of the vulnerable \u003ccode\u003eexiftool-vendored\u003c/code\u003e APIs. There is no remote code execution reported.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to \u003ccode\u003eexiftool-vendored\u003c/code\u003e version 35.19.0 or later to remediate CVE-2026-43893.\u003c/li\u003e\n\u003cli\u003eApply input validation to reject strings containing control characters (specifically newlines, carriage returns, and null bytes) before passing them to affected \u003ccode\u003eexiftool-vendored\u003c/code\u003e APIs. Reference the example \u003ccode\u003eassertSafeForExifTool\u003c/code\u003e function provided in the advisory.\u003c/li\u003e\n\u003cli\u003eMonitor application logs for unexpected file access or modification attempts originating from the ExifTool process.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rules to detect exploitation attempts by monitoring process command lines for injected arguments.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-exiftool-arg-injection/","summary":"exiftool-vendored is vulnerable to argument injection (CVE-2026-43893) via newline characters in tag names, potentially allowing attackers to read or write files accessible to the ExifTool process by injecting arguments through caller-supplied strings.","title":"exiftool-vendored Argument Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-03-exiftool-arg-injection/"}],"language":"en","title":"CraftedSignal Threat Feed — Exiftool-Vendored (\u003c= 35.18.0)","version":"https://jsonfeed.org/version/1.1"}