CVE-2025-55294
published 2025-08-19CVE-2025-55294: screenshot-desktop allows capturing a screenshot of your local machine. This vulnerability is a command injection issue. When user-controlled input is passed…
PriorityP267critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.48%
70.7th percentile
screenshot-desktop allows capturing a screenshot of your local machine. This vulnerability is a command injection issue. When user-controlled input is passed into the format option of the screenshot function, it is interpolated into a shell command without sanitization. This results in arbitrary command execution with the privileges of the calling process. This vulnerability is fixed in 1.15.2.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| bencevans | screenshot-desktop | < 1.15.2 | 1.15.2 |
| bencevans | screenshot-desktop | >= 0 < 1.15.2 | 1.15.2 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
screenshot-desktop vulnerable to command Injection via `format` option
ghsa·2025-08-19
CVE-2025-55294 [CRITICAL] CWE-77 screenshot-desktop vulnerable to command Injection via `format` option
screenshot-desktop vulnerable to command Injection via `format` option
## Impact
This vulnerability is a **command injection** issue.
When user-controlled input is passed into the `format` option of the screenshot function, it is interpolated into a shell command without sanitization.
An attacker can craft malicious input such as:
{ format: "; echo vulnerable > /tmp/hello;" }
This results in arbitrary command execution with the privileges of the calling process.
**Who is impacted:**
Any application that accepts untrusted input and forwards it directly (or indirectly) into the `format` option is affected. If the library is used in a server-side context (e.g., API endpoints, web services), attackers may be able to exploit this **remotely and without authentication**, leading to full comp
OSV
screenshot-desktop vulnerable to command Injection via `format` option
osv·2025-08-19
CVE-2025-55294 [CRITICAL] screenshot-desktop vulnerable to command Injection via `format` option
screenshot-desktop vulnerable to command Injection via `format` option
## Impact
This vulnerability is a **command injection** issue.
When user-controlled input is passed into the `format` option of the screenshot function, it is interpolated into a shell command without sanitization.
An attacker can craft malicious input such as:
{ format: "; echo vulnerable > /tmp/hello;" }
This results in arbitrary command execution with the privileges of the calling process.
**Who is impacted:**
Any application that accepts untrusted input and forwards it directly (or indirectly) into the `format` option is affected. If the library is used in a server-side context (e.g., API endpoints, web services), attackers may be able to exploit this **remotely and without authentication**, leading to full comp
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-08-19
Published