Login Sign Up

CVE-2020-28446

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

CVE-2020-28446 is a command injection vulnerability in the ntesseract npm package that allows attackers to execute arbitrary commands on the host system. The vulnerability exists in lib/tesseract.js where user input is improperly sanitized before being passed to system commands. This affects any application using vulnerable versions of ntesseract for OCR processing.

💻 Affected Systems

Products:
  • ntesseract npm package
Versions: All versions before 0.2.9
Operating Systems: All operating systems where Node.js runs
Default Config Vulnerable: ⚠️ Yes
Notes: Any application using ntesseract for OCR with user-controlled input is vulnerable.

📦 What is this software?

Ntesseract by Ntesseract Project

View all CVEs affecting Ntesseract →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise allowing remote code execution, data theft, lateral movement, and complete control of affected systems.

🟠

Likely Case

Remote code execution leading to data exfiltration, cryptocurrency mining, or ransomware deployment on vulnerable servers.

🟢

If Mitigated

Limited impact with proper input validation, sandboxing, and least privilege execution preventing command execution.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires user input to reach the vulnerable function, which is common in OCR processing workflows.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.2.9 and later

Vendor Advisory: https://github.com/taoyuan/ntesseract/commit/fcbc36f381798b4362179c0cdf9961b437c7b619

Restart Required: Yes

Instructions:

1. Update package.json to specify ntesseract version 0.2.9 or higher. 2. Run 'npm update ntesseract'. 3. Restart the application. 4. Test OCR functionality.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement strict input validation to reject any non-alphanumeric characters in OCR input parameters.

Sandbox Execution

all

Run the Node.js application in a container or sandbox with limited permissions to restrict command execution impact.

🧯 If You Can't Patch

  • Implement strict input validation to reject shell metacharacters in all user inputs
  • Run the application with minimal privileges and in a containerized environment

🔍 How to Verify

Check if Vulnerable:

Check package.json or run 'npm list ntesseract' to see if version is below 0.2.9.

Check Version:

npm list ntesseract | grep ntesseract

Verify Fix Applied:

After updating, verify version is 0.2.9 or higher with 'npm list ntesseract' and test OCR functionality.

📡 Detection & Monitoring

Log Indicators:

  • Unusual command execution patterns
  • Spawned processes from Node.js with unexpected arguments
  • Failed OCR processing with error messages containing shell commands

Network Indicators:

  • Outbound connections from OCR processing servers to unexpected destinations
  • Data exfiltration patterns following OCR operations

SIEM Query:

process.name: "node" AND process.args: "*;*" OR process.args: "*|*" OR process.args: "*&*" OR process.args: "*`*"

📊 Metadata

CVE ID: CVE-2020-28446
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-77
Published: July 25, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-28446, you might also want to check these:

CVE-2024-48841 10.0

This critical vulnerability in FLXEON software allows remote attackers to execute arbitrary code wit...

Same vulnerability type (CWE-77)
CVE-2025-59818 10.0

This vulnerability allows authenticated attackers to execute arbitrary system commands by manipulati...

Same vulnerability type (CWE-77)
CVE-2024-28354 10.0

This is a critical command injection vulnerability in TRENDnet TEW-827DRU routers that allows remote...

Same vulnerability type (CWE-77)