CVE-2016-4991 – CVE-2016-4991 is a command injection vulnerabil... (How to Fix)

Q: What is the severity of CVE-2016-4991?

CVE-2016-4991 has a CVSS score of 9.8 (CRITICAL). CVE-2016-4991 is a command injection vulnerability in nodepdf's PDF rendering function. Attackers can inject shell commands through specially crafted input to the Pdf() function, leading to remote code execution. This affects systems using nodepdf 1.3.0 for PDF generation.

📋 TL;DR

CVE-2016-4991 is a command injection vulnerability in nodepdf's PDF rendering function. Attackers can inject shell commands through specially crafted input to the Pdf() function, leading to remote code execution. This affects systems using nodepdf 1.3.0 for PDF generation.

💻 Affected Systems

Products:

nodepdf

Versions: 1.3.0

Operating Systems: All platforms where Node.js runs

Default Config Vulnerable: ⚠️ Yes

Notes: Any application using nodepdf 1.3.0's Pdf() function with user-controlled input is vulnerable.

📦 What is this software?

Nodepdf by Nodepdf Project

View all CVEs affecting Nodepdf →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining shell access, data exfiltration, and lateral movement within the network.

🟠

Likely Case

Unauthenticated remote code execution allowing attackers to run arbitrary commands on the server.

🟢

If Mitigated

No impact if proper input validation and sanitization are implemented or if vulnerable version is not used.

🌐 Internet-Facing: HIGH - Directly exploitable via web applications using nodepdf for PDF generation.

🏢 Internal Only: MEDIUM - Still exploitable by authenticated users or through internal applications.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple command injection via semicolon or curly braces in input to Pdf() function.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.3.1 and later

Vendor Advisory: https://www.npmjs.com/advisories/46

Restart Required: Yes

Instructions:

1. Update nodepdf to version 1.3.1 or later using 'npm update nodepdf'. 2. Restart the Node.js application. 3. Verify the update with 'npm list nodepdf'.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement strict input validation to reject any input containing semicolons or curly braces before passing to Pdf() function.

Use Alternative PDF Library

all

Replace nodepdf with a secure PDF generation library like pdfkit or puppeteer.

npm uninstall nodepdf
npm install pdfkit

🧯 If You Can't Patch

Implement strict input validation to reject semicolons and curly braces in all user input passed to Pdf() function.
Isolate the vulnerable application in a restricted network segment with minimal permissions.

🔍 How to Verify

Check if Vulnerable:

Check package.json or run 'npm list nodepdf' to see if version 1.3.0 is installed.

Check Version:

npm list nodepdf

Verify Fix Applied:

After update, verify with 'npm list nodepdf' shows version 1.3.1 or higher.

📡 Detection & Monitoring

Log Indicators:

Unusual shell commands in application logs
PDF generation failures with error messages containing shell syntax

Network Indicators:

Unexpected outbound connections from PDF generation service
Unusual process spawns during PDF operations

SIEM Query:

source="application.log" AND "Pdf()" AND ("{" OR "}" OR ";")

📊 Metadata

CVE ID: CVE-2016-4991

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-77

Published: July 28, 2022

Last Updated: November 21, 2024

🔗 References

https://lf.lc/cve/cve-2016-4991/ Exploit,Third Party Advisory
https://lf.lc/cve/cve-2016-4991/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2016-4991, you might also want to check these: