CVE-2025-55294: screenshot-desktop vulnerable to command Injection via `format` option

This vulnerability is a command injection issue. When user-controlled input is passed into the format option of the screenshot function, it is interpolated into a shell command without sanitization. An attacker can craft malicious input such as:

{ format: “; echo vulnerable > /tmp/hello;” }

This results in arbitrary command execution with the privileges of the calling process.

Who is impacted: Any application that accepts untrusted input and forwards it directly (or indirectly) into the format option is affected. If the library is used in a server-side context (e.g., API endpoints, web services), attackers may be able to exploit this remotely and without authentication, leading to full compromise of confidentiality, integrity, and availability.

CVSS v3.1 Base Score: 9.8 (Critical) CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H