CVE-2025-55294 Overview
CVE-2025-55294 is a critical command injection vulnerability in the screenshot-desktop npm package, which is used for capturing screenshots of local machines. When user-controlled input is passed into the format option of the screenshot function, it is interpolated into a shell command without proper sanitization. This results in arbitrary command execution with the privileges of the calling process, potentially allowing attackers to fully compromise affected systems.
Critical Impact
Remote attackers can achieve arbitrary command execution by injecting malicious payloads through the unsanitized format parameter, leading to complete system compromise with the privileges of the running Node.js process.
Affected Products
- screenshot-desktop npm package versions prior to 1.15.2
- Applications using screenshot-desktop with user-controlled format options
- Node.js applications that accept untrusted input for screenshot configuration
Discovery Timeline
- 2025-08-19 - CVE-2025-55294 published to NVD
- 2025-08-20 - Last updated in NVD database
Technical Details for CVE-2025-55294
Vulnerability Analysis
This vulnerability (CWE-77: Command Injection) exists in the screenshot-desktop library's handling of the format parameter across multiple platform implementations. The vulnerable code directly interpolates user-supplied input into shell commands without validation or sanitization. An attacker who can control the format option passed to the screenshot function can inject arbitrary shell commands that will be executed on the underlying operating system.
The vulnerability affects both the Darwin (macOS) and Linux implementations of the library, where the format option was being concatenated directly into command strings that were subsequently executed via shell. This is particularly dangerous because screenshot functionality is often exposed in applications that process user input, creating a direct path from untrusted data to command execution.
Root Cause
The root cause of this vulnerability is improper input validation in the screenshot-desktop library. The code directly passed user-controlled input (the format option) into shell command construction without any validation against an allowlist of acceptable values or sanitization of special characters. This classic command injection pattern occurs when shell metacharacters in the input can break out of the intended command context and execute arbitrary commands.
Attack Vector
The attack vector is network-accessible, requiring no authentication or user interaction. An attacker can exploit this vulnerability by providing a malicious value for the format parameter that includes shell metacharacters and commands. When the screenshot function processes this input, the injected commands are executed with the same privileges as the Node.js process running the application.
For example, an attacker could supply a format value containing command separators (;, &&, |) followed by arbitrary commands to achieve code execution on the target system.
The security patch implements multiple defensive measures as shown in the commit:
return reject(new Error(`Invalid choice of displayId: ${displayId} ${validChoiceMsg}`))
}
- const format = options.format || 'jpg'
- let filename
- let suffix
+ // Validate format
+ const allowedFormats = ['jpg', 'jpeg', 'png', 'tiff', 'bmp', 'gif', 'pdf']
+ const format = (options.format || 'jpg').toLowerCase()
+ if (!allowedFormats.includes(format)) {
+ return reject(new Error('Invalid format'))
+ }
+
+ // Sanitize filename
+ let filename, suffix
if (options.filename) {
- const ix = options.filename.lastIndexOf('.')
- suffix = ix >= 0 ? options.filename.slice(ix) : `.${format}`
- filename = '"' + options.filename.replace(/"/g, '\\"') + '"'
+ // Only allow safe characters in filename
+ const safeFilename = options.filename.replace(/[^a-zA-Z0-9._\-/]/g, '')
+ const ix = safeFilename.lastIndexOf('.')
+ suffix = ix >= 0 ? safeFilename.slice(ix) : `.${format}`
+ filename = safeFilename
} else {
suffix = `.${format}`
}
Source: GitHub Commit Reference
The Linux implementation also received similar hardening:
listDisplays().then((screens) => {
const screen = screens.find(options.screen ? screen => screen.id === options.screen : screen => screen.primary || screen.id === 'default') || screens[0]
- const filename = options.filename ? (options.filename.replace(/"/g, '\\"')) : '-'
+ // Validate format
+ const allowedFormats = ['jpg', 'jpeg', 'png', 'tiff', 'bmp', 'gif']
+ const filetype = (options.format || guessFiletype(options.filename || '')).toLowerCase()
+ if (!allowedFormats.includes(filetype)) {
+ return reject(new Error('Invalid format'))
+ }
+
+ // Sanitize filename
+ const filename = options.filename ? options.filename.replace(/[^a-zA-Z0-9._\-/]/g, '') : '-'
const execOptions =
options.filename
? {}
: {
encoding: 'buffer',
maxBuffer: maxBuffer(screens)
}
- const filetype = options.format || guessFiletype(filename)
- let commandLine = ''
+ let cmd, args
switch (options.linuxLibrary) {
- case 'scrot': // Faster. Does not support crop.
- commandLine = `scrot "${filename}" -e -z "echo \\"${filename}\\""`
+ case 'scrot':
+ cmd = 'scrot'
+ args = [filename, '-e', '-z', 'echo "' + filename + '"']
Source: GitHub Commit Reference
Detection Methods for CVE-2025-55294
Indicators of Compromise
- Unexpected child processes spawned by Node.js applications using screenshot-desktop
- Unusual shell command patterns in process logs containing screenshot-related strings followed by command separators
- Anomalous network connections or file system modifications originating from Node.js processes
- Log entries showing errors related to screenshot format validation after patching
Detection Strategies
- Monitor for unusual command-line arguments in processes spawned by Node.js applications, particularly those containing shell metacharacters
- Implement application-level logging to capture screenshot function calls and their parameters
- Use Software Composition Analysis (SCA) tools to identify applications using vulnerable versions of screenshot-desktop
- Deploy runtime application self-protection (RASP) to detect command injection attempts
Monitoring Recommendations
- Enable process creation auditing to track child processes spawned by Node.js applications
- Configure alerts for screenshot-desktop related processes executing unexpected commands
- Review application logs for malformed format parameters or validation errors
- Monitor for the presence of vulnerable screenshot-desktop versions in npm dependency trees
How to Mitigate CVE-2025-55294
Immediate Actions Required
- Upgrade screenshot-desktop to version 1.15.2 or later immediately
- Audit applications to identify any usage of screenshot-desktop with user-controlled input
- Implement input validation at the application layer as defense-in-depth
- Review process privileges to ensure screenshot functionality runs with minimal required permissions
Patch Information
The vulnerability has been fixed in screenshot-desktop version 1.15.2. The fix implements allowlist validation for the format parameter, restricting it to known-safe values (jpg, jpeg, png, tiff, bmp, gif, pdf). Additionally, the patch switches from shell command execution to execFile, which prevents shell interpretation of arguments. Filename sanitization has also been added to remove potentially dangerous characters.
For detailed patch information, refer to the GitHub Security Advisory and the security fix commit.
Workarounds
- If immediate patching is not possible, implement application-level validation to restrict format options to a known-safe allowlist
- Avoid passing user-controlled input to screenshot-desktop configuration options
- Run Node.js applications with reduced privileges to limit the impact of potential exploitation
- Consider using alternative screenshot libraries that implement proper input validation
# Update screenshot-desktop to patched version
npm update screenshot-desktop@1.15.2
# Verify installed version
npm list screenshot-desktop
# Audit for vulnerabilities in dependencies
npm audit
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
