Guarantee over security?

[Enrico]

Hello team,
My team and I are seriously assessing whether exiftool can be adopted internally to our company as "the" tool to retrieve metadata.
One question is tho: how secure is it and how can I prove it is secure?
Potential security concerns with running this tool on user data in our own cluster environment needs to be considered. File formats like PDF but also others are famous as a vehicle for exploiting weaknesses in code that reads them, potentially leading to privilege escalation or similar issues. This was one reason why we didn't like running imagemagick on user data back in the days.
How can we make sure, without investigating line of code by line of code  , that exiftool covers this security aspect?

Thanks in advance!

[Phil Harvey]

You have seen the Security Issues section of the ExifTool home page.  The prospect of remote code execution is the biggest threat, and if you pay attention to the arguments you pass exiftool then you should avoid the biggest pitfalls.  ExifTool is widely used, and some security experts have informed me of a few issues in the code which have been fixed.  There are likely some remaining issues like malicious files that can crash or hang ExifTool, but I would be surprised if there are any internal remote-code-execution vulnerabilities.

- Phil

[Enrico]

Hi Phil,
thanks as always for your replies!
I have seen the Security Issues section and it deals with input file names.
I was more pointing out to code execution vulnerabilities like it happened for Imagemagick back in the days: link to Imagetragick problem.
Part of the vulnerabilities as you may read is indeed about parameter injection, but others are not.
So I was just wondering what's the current state of things and I think you already explained me enough, thanks