CVE-2020-28446: 
JavaScript vulnerability analysis and mitigation

The ntesseract package versions before 0.2.9 were found to be vulnerable to Command Injection via lib/tesseract.js. This vulnerability was discovered in December 2020 and was assigned CVE-2020-28446. The package ntesseract is a simple wrapper for the Tesseract OCR package for node.js (Snyk Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 9.8 CRITICAL with attack vector: Network, attack complexity: Low, privileges required: None, user interaction: None, scope: Unchanged, and impact on confidentiality, integrity, and availability all rated as High. The vulnerability exists in the command processing functionality within lib/tesseract.js, allowing for command injection attacks (Snyk Advisory).

A successful exploitation of this vulnerability could result in total loss of confidentiality, integrity, and availability of the affected system. The attacker could potentially execute arbitrary commands, leading to complete system compromise. The vulnerability can be exploited without any user interaction or special privileges (Snyk Advisory).

The vulnerability has been fixed in version 0.2.9 of the ntesseract package. Users are strongly recommended to upgrade to version 0.2.9 or higher to address this security issue. The fix includes proper handling of image input strings to prevent command injection (GitHub Patch).