A code injection exists in node-df v0.1.4 that can allow an attacker to remote code execution by unsanitized input. The issue occurs because a user input is concatenated inside a command that will be executed without any check. Reference: https://hackerone.com/reports/703412
https://github.com/adriano-di-giovanni/node-df/pull/8 fixed here, no upstream fix.