There is a command injection vulnerability in affected versions of total.js
. The issue occurs in the image.pipe
and image.stream
functions. The type
parameter is used to build the command that is then executed using child_process.spawn
. The issue occurs because child_process.spawn
is called with the option shell
set to true
and because the type
parameter is not properly sanitized.
Update to version 3.4.7 or later