CVE-2025-55294: 
JavaScript vulnerability analysis and mitigation

The screenshot-desktop library contains a critical command injection vulnerability (CVE-2025-55294) discovered on August 19, 2025. The vulnerability affects versions prior to 1.15.2 and allows capturing screenshots of local machines. When user-controlled input is passed into the format option of the screenshot function, it is interpolated into a shell command without proper sanitization, potentially leading to arbitrary command execution with the privileges of the calling process (GitHub Advisory).

The vulnerability stems from insufficient input validation in the format option parameter. An attacker can craft malicious input such as { format: "; echo vulnerable > /tmp/hello;" } which gets directly interpolated into shell commands without proper sanitization. The vulnerability has been assigned a CVSS v3.1 Base Score of 9.8 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating network attack vector, low attack complexity, no privileges required, and no user interaction needed (GitHub Advisory).

The vulnerability can lead to full compromise of confidentiality, integrity, and availability of affected systems. If the library is used in a server-side context (e.g., API endpoints, web services), attackers may be able to exploit this remotely and without authentication. Any application that accepts untrusted input and forwards it directly or indirectly into the format option is affected (GitHub Advisory).

The vulnerability has been patched in version 1.15.2. Users are strongly recommended to upgrade to version 1.15.2 or later. If immediate upgrading is not possible, developers should implement workarounds such as strictly validating or whitelisting acceptable format values (e.g., "jpeg", "png", "webp"), rejecting or sanitizing any unexpected input before passing it to the library, and avoiding allowing user-controlled data to reach the format option (GitHub Advisory).