OS Command Injection Vulnerability in Node-ts-ocr by NPM
CVE-2025-63705

8.8HIGH

Key Information:

Vendor: NPM
Status: node-ts-ocr
Vendor: CVE Published:; 7 May 2026

What is CVE-2025-63705?

The NPM package node-ts-ocr version 1.0.15 has a vulnerability that allows for OS Command Injection through the invokeImageOcr function. This security flaw can be exploited by attackers to execute arbitrary commands on the host system, potentially leading to unauthorized access or manipulation of the system. It is important for developers using this package to be aware of this vulnerability and take appropriate measures to mitigate the risks.

References

https://www.npmjs.com/package/node-ts-ocr

https://gist.github.com/6en6ar/a2ac44da0f4e580190be3e66cf...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 7, 2026
Vulnerability Reserved
Oct 27, 2025

CVE-2025-63705 Data

JSON