Skip to content
Branch: master
Find file History
Latest commit 0e318a2 Jun 3, 2019
Type Name Latest commit message Commit time
Failed to load latest commit information.
CVE‑2019‑5678.html Add CVE-2019-5678 Jun 3, 2019 Update Jun 3, 2019
poc_image.gif Add CVE-2019-5678 Jun 3, 2019

CVE‑2019‑5678: Command Injection in Nvidia GeForce Experience Web Helper


Description: This vulnerability allows execution of arbitrary commands on a system with the NVIDIA GeForce Experience (GFE) prior to version 3.19 installed. This can be achieved by convincing a victim to visit a crafted web site and make a few key presses. This is possible due to command injection which was discovered in a local NodeJS server which GFE launches on startup.
Versions Affected: < 3.19
Researcher: David Yesland ( @daveysec)
Disclosure Link:
NIST CVE Link:‑2019‑5678
Vendor Disclsure:

Proof-of-Concept Exploit


By convincing a user into pressing CTRL+V+Enter it is possible to force an upload of a configuration file containing a secret needed to make a cross origin request to a local Node server which contains a command injection vulnerability and execute arbitrary commands.


Visit the proof of concept HTML page in Chrome and press the keys to trigger it.


Alt-text that shows up on hover

You can’t perform that action at this time.