CVE-2026-43893 Overview
CVE-2026-43893 is an argument injection vulnerability [CWE-88] in exiftool-vendored, a Node.js library providing cross-platform access to ExifTool. Versions prior to 35.19.0 start ExifTool in -stay_open True -@ - mode, where arguments are read from stdin one per line. The library interpolated caller-supplied strings into ExifTool arguments without rejecting line delimiters. An attacker who controls input strings can inject newline or carriage return characters to split a single intended argument into multiple ExifTool arguments. Successful exploitation allows attackers to make ExifTool read arbitrary files or write output to attacker-chosen filesystem paths accessible to the ExifTool process.
Critical Impact
Attacker-controlled strings passed to affected APIs enable argument injection, exposing files readable by the ExifTool process and permitting arbitrary file writes within process-accessible paths. No remote code execution has been demonstrated.
Affected Products
- exiftool-vendored (Node.js package) versions prior to 35.19.0
- Applications passing attacker-controlled strings to affected exiftool-vendored APIs
- Node.js services performing image or metadata processing using vulnerable releases
Discovery Timeline
- 2026-05-11 - CVE-2026-43893 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-43893
Vulnerability Analysis
The exiftool-vendored library spawns ExifTool as a long-running subprocess using the -stay_open True -@ - flags. In this mode, ExifTool reads command arguments from standard input, with each line treated as a discrete argument and -execute markers separating command batches. The library accepts caller-supplied parameters such as file paths and option values and writes them directly to the subprocess stdin. Affected versions did not strip or reject embedded line feed (\n) and carriage return (\r) characters within these strings. An attacker who controls any interpolated string can terminate the current argument early and append additional ExifTool flags. The remediation in version 35.19.0 rejects line delimiters and additionally rejects NUL bytes as unsafe control characters.
Root Cause
The root cause is improper neutralization of argument delimiters when constructing ExifTool command sequences [CWE-88]. The stdin-driven argument protocol treats newlines as separators, but the calling code did not enforce this constraint on user-supplied data before forwarding it to the subprocess.
Attack Vector
Exploitation requires that an application pass attacker-controlled strings, such as filenames, tag values, or option arguments, into vulnerable exiftool-vendored APIs. By embedding \n followed by additional ExifTool flags like -TagsFromFile, -o, or -w, the attacker can redirect ExifTool to read sensitive files within the process's reach or write output to chosen filesystem locations. The vulnerability is reachable over the network when the calling application accepts user input remotely, though impact is bounded by ExifTool process permissions.
No verified public exploit code is available. See the GitHub Security Advisory for technical details.
Detection Methods for CVE-2026-43893
Indicators of Compromise
- ExifTool subprocesses reading or writing files outside expected media directories of the host application.
- Application logs containing user-supplied filenames or tag values with embedded \n, \r, or NUL byte sequences.
- Unexpected child processes spawned by Node.js services using exiftool-vendored versions prior to 35.19.0.
Detection Strategies
- Inventory Node.js dependencies and flag any project resolving exiftool-vendored below 35.19.0 using npm ls exiftool-vendored or software composition analysis tools.
- Inspect application input handlers that pass filenames, output paths, or ExifTool option strings from HTTP requests directly into the library.
- Audit filesystem access by ExifTool processes to detect reads of sensitive paths such as /etc/passwd or application configuration files.
Monitoring Recommendations
- Log and alert on ExifTool argument streams that contain control characters or unexpected option flags.
- Monitor for file writes by ExifTool to directories outside the application's designated working paths.
- Track process lineage where perl or exiftool binaries spawn under Node.js parents to baseline expected behavior.
How to Mitigate CVE-2026-43893
Immediate Actions Required
- Upgrade exiftool-vendored to version 35.19.0 or later across all Node.js projects.
- Audit application code for any direct interpolation of user-controlled strings into ExifTool option arguments.
- Restrict the filesystem permissions of the user account running the ExifTool process to the minimum required directories.
Patch Information
The maintainers fixed CVE-2026-43893 in exiftool-vendored version 35.19.0. The patch rejects line delimiters (\n, \r) and NUL bytes in caller-supplied strings before they are forwarded to the ExifTool stdin protocol. Refer to the GitHub Security Advisory GHSA-cw26-7653-2rp5 for full remediation details.
Workarounds
- Validate and sanitize all caller-supplied strings to reject \n, \r, and NUL byte characters before invoking exiftool-vendored APIs.
- Run the Node.js service under a dedicated low-privilege account with no access to sensitive files or writable system paths.
- Apply allowlists for ExifTool option flags and filename patterns accepted from external input.
# Upgrade exiftool-vendored to the patched release
npm install exiftool-vendored@^35.19.0
npm ls exiftool-vendored
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
