exiftool-vendored vulnerable to argument injection via newline characters in tag names

Description

Impact

exiftool-vendored starts ExifTool in -stay_open True -@ - mode, where arguments are read from stdin one per line. In affected versions, several caller-supplied strings were interpolated into ExifTool arguments without rejecting line delimiters. A newline or carriage return inside one of those strings could split a single intended argument into multiple ExifTool arguments, allowing argument injection. The fix also rejects NUL bytes as unsafe control characters.

Applications that pass attacker-controlled strings to affected APIs may allow an attacker to make ExifTool read files accessible to the ExifTool process, or write output to attacker-chosen file system paths accessible to that process. No remote code execution has been demonstrated.

The reported write-path issue is caused by unsanitized tag keys. Tag values passed to ExifTool#write are not affected, because WriteTask already encodes whitespace characters in values (e.g. \n -> 
) before transmission.

Confirmed affected inputs:

  • Tag-name arguments / tag keys — keys of the tags object passed to ExifTool#write; entries of the retain option to ExifTool#deleteAllTags; entries of the numericTags option to ExifTool#read; the tagname argument to ExifTool#extractBinaryTag and #extractBinaryTagToBuffer.
  • Filename / path arguments to ExifTool#write, #read, #readRaw, #deleteAllTags, #rewriteAllTags, #extractBinaryTag, #extractBinaryTagToBuffer, and the binary-extraction convenience methods #extractJpgFromRaw, #extractPreview, and #extractThumbnail. path.resolve() does not strip newlines, so an application that accepts attacker-controlled filenames containing newline characters was vulnerable.
  • The imageHashType option to ExifTool#read. TypeScript types restrict this to a literal union, but JS callers or callers with weakened type checking could reach the sink.

Applications that only pass hardcoded strings for tag names, options, and filenames are not affected.

Patches

Fixed in v35.19.0. Two layers of defense:

  1. Per-site input validation. A new validateTagName helper rejects any tag-name string containing characters outside the ExifTool tag grammar (letters, digits, :, -, _, and the ExifTool modifiers *, ?, +, #). Applied at every tag-name interpolation site.
  2. Defense-in-depth at the command renderer. ExifToolTask.renderCommand now rejects any argument containing \r, \n, or \0 before it is sent to the ExifTool process. This catches injection via filename arguments, option values, and any future interpolation site that forgets the per-site validator.

Workarounds

Upgrade to v35.19.0 or later.

If upgrading immediately is not possible, reject untrusted strings containing control characters before passing them to the affected APIs. Conservative guard:

function assertSafeForExifTool(s: string): void {
  if (typeof s !== "string" || /[\x00-\x20=<>]/.test(s)) {
    throw new Error("Rejected unsafe string for ExifTool");
  }
}

Apply to tag names, retain / numericTags entries, binary-extraction tag names, filenames, and the imageHashType option. This is a denylist and is strictly weaker than the library's internal validator; it is sufficient to block the known PoCs but will accept strings that the library itself now rejects.

Resources

  • ExifTool -stay_open / argument-file documentation: https://exiftool.org/exiftool_pod.html#stay_open-FLAG
  • ExifTool tag-name reference: https://exiftool.org/TagNames/
  • CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') — https://cwe.mitre.org/data/definitions/88.html

Credit

  • Reporter: Hank Tam
  • Affiliation: Independent

Basic information

Type
reviewed
Severity
high
Advisory on GitHub
Open advisory ↗
Repository advisory
Open repository advisory ↗
Source code
Browse source ↗
Published (advisory)
2026-05-05 19:53:47 UTC
Updated
2026-05-13 14:19:55 UTC
GitHub reviewed
2026-05-05 19:53:47 UTC
NVD published
2026-05-11

EPSS Score

Score Percentile
0.11% 28.18%

CVSS Scores

Base score Version Severity Vector
8.2 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:L)
Some sensitive info could get out, but not a total data dump.
Integrity (I:H)
They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:N)
Service keeps running; no real outage angle.

Identifiers

CWEs

CWE id Name
CWE-88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

Credits

  • Dobby153 (reporter)

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
npm exiftool-vendored <= 35.18.0 35.19.0

References

cvelogic Threat Intelligence