node-tesseract-ocr shell injection (CVE-2026-26832)

Overview

A critical security vulnerability, tracked as CVE-2026-26832, has been discovered in the node-tesseract-ocr npm package. This package is a popular Node.js wrapper for the Tesseract optical character recognition (OCR) engine. The flaw allows attackers to execute arbitrary operating system commands on the host server, posing a severe risk to any application using this library.

Vulnerability Details

The vulnerability resides in the recognize() function within the package’s src/index.js file. This function constructs a shell command to process image files for text extraction. However, the user-supplied file path parameter is directly concatenated into the command string without any sanitization and is then executed using child_process.exec(). This lack of input validation makes it susceptible to OS command injection.

An attacker can exploit this by crafting a malicious file path parameter that includes shell metacharacters (like ;, &, |, or backticks) to break out of the intended command and execute their own code on the underlying system.

Impact

With a maximum CVSS score of 9.8 (Critical), this vulnerability has a severe impact. Successful exploitation grants an attacker the ability to run any command with the same privileges as the Node.js process. This could lead to:

• Complete compromise of the application server.
• Unauthorized access to sensitive data and file systems.
• Installation of malware or ransomware.
• Use of the server as a pivot point for attacks on internal networks.

For context on how such vulnerabilities can lead to major incidents, review historical data breach reports at breach reports.

Remediation and Mitigation

Immediate action is required to secure affected systems.

Primary Fix: Update the Package The recommended solution is to upgrade node-tesseract-ocr to version 2.2.2 or later, if a patched version is available. Update the package in your package.json and run npm update.

Immediate Mitigation (If Update is Not Possible):

1. Input Sanitization: Strictly validate and sanitize all user input passed to the recognize() function. Reject any paths containing shell metacharacters or path traversal sequences (../).
2. Use Safer Alternatives: Consider refactoring the code to use the child_process.execFile() or child_process.spawn() functions with argument arrays, which do not invoke a system shell by default.
3. Principle of Least Privilege: Ensure the Node.js process runs with the minimum necessary system permissions to limit the potential damage of a successful exploit.

Stay informed on emerging threats and patches by monitoring our security news section. Organizations using this package should audit their applications and apply the patch without delay to prevent potential exploitation.