Summary
Workarounds
Upgrade to v35.19.0 or later.
If upgrading immediately is not possible, reject untrusted strings containing control characters before passing them to the affected APIs. Conservative guard:
function assertSafeForExifTool(s: string): void {
if (typeof s !== "string" || /[\x00-\x20=<>]/.test(s)) {
throw new Error("Rejected unsafe string for ExifTool");
}
}
Apply to tag names, retain / numericTags entries, binary-extraction tag names, filenames, and the imageHashType option. This is a denylist and is strictly weaker than the library's internal validator; it is sufficient to block the known PoCs but will accept strings that the library itself now rejects.
Resources
- ExifTool
-stay_open/ argument-file documentation: https://exiftool.org/exiftool_pod.html#stay_open-FLAG - ExifTool tag-name reference: https://exiftool.org/TagNames/
- CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection'), https://cwe.mitre.org/data/definitions/88.html
Credit
- Reporter: Hank Tam
- Affiliation: Independent
Impact
exiftool-vendored starts ExifTool in -stay_open True -@ - mode, where arguments are read from stdin one per line. In affected versions, several caller-supplied strings were interpolated into ExifTool arguments without rejecting line delimiters. A newline or carriage return inside one of those strings could split a single intended argument into multiple ExifTool arguments, allowing argument injection. The fix also rejects NUL bytes as unsafe control characters.
Applications that pass attacker-controlled strings to affected APIs may allow an attacker to make ExifTool read files accessible to the ExifTool process, or write output to attacker-chosen file system paths accessible to that process. No remote code execution has been demonstrated.
The reported write-path issue is caused by unsanitized tag keys. Tag values passed to ExifTool#write are not affected, because WriteTask already encodes whitespace characters in values (e.g. \n -> ) before transmission.
Confirmed affected inputs:
- Tag-name arguments / tag keys, keys of the
tagsobject passed toExifTool#write; entries of theretainoption toExifTool#deleteAllTags; entries of thenumericTagsoption toExifTool#read; thetagnameargument toExifTool#extractBinaryTagand#extractBinaryTagToBuffer. - Filename / path arguments to
ExifTool#write,#read,#readRaw,#deleteAllTags,#rewriteAllTags,#extractBinaryTag,#extractBinaryTagToBuffer, and the binary-extraction convenience methods#extractJpgFromRaw,#extractPreview, and#extractThumbnail.path.resolve()does not strip newlines, so an application that accepts attacker-controlled filenames containing newline characters was vulnerable. - The
imageHashTypeoption toExifTool#read. TypeScript types restrict this to a literal union, but JS callers or callers with weakened type checking could reach the sink.
Applications that only pass hardcoded strings for tag names, options, and filenames are not affected.
CVE-2026-43893 has a CVSS score of 8.2 (High). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (35.19.0); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Fixed in v35.19.0. Two layers of defense:
- Per-site input validation. A new
validateTagNamehelper rejects any tag-name string containing characters outside the ExifTool tag grammar (letters, digits,:,-,_, and the ExifTool modifiers*,?,+,#). Applied at every tag-name interpolation site. - Defense-in-depth at the command renderer.
ExifToolTask.renderCommandnow rejects any argument containing\r,\n, or\0before it is sent to the ExifTool process. This catches injection via filename arguments, option values, and any future interpolation site that forgets the per-site validator.
Frequently Asked Questions
- What is CVE-2026-43893? CVE-2026-43893 is a high-severity security vulnerability in exiftool-vendored (npm), affecting versions <= 35.18.0. It is fixed in 35.19.0.
- How severe is CVE-2026-43893? CVE-2026-43893 has a CVSS score of 8.2 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of exiftool-vendored are affected by CVE-2026-43893? exiftool-vendored (npm) versions <= 35.18.0 is affected.
- Is there a fix for CVE-2026-43893? Yes. CVE-2026-43893 is fixed in 35.19.0. Upgrade to this version or later.
- Is CVE-2026-43893 exploitable, and should I be worried? Whether CVE-2026-43893 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-43893 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-43893? Upgrade
exiftool-vendoredto 35.19.0 or later.