A code injection exists in node-df v0.1.4 that can allow an attacker to remote code execution by unsanitized input.Referenceshttps://hackerone.com/reports/703412
