A code injection exists in node-df v0.1.4 that can allow an attacker to remote code execution by unsanitized input.