GHSA-753c-phhg-cj29

Suggest an improvement
Source
https://github.com/advisories/GHSA-753c-phhg-cj29
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-753c-phhg-cj29/GHSA-753c-phhg-cj29.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-753c-phhg-cj29
Aliases
Published
2021-03-12T23:01:49Z
Modified
2025-01-08T07:12:01.409022Z
Summary
Madge vulnerable to command injection
Details

This affects the package madge before 4.0.1. It is possible to specify a custom Graphviz path via the graphVizPath option parameter which, when the .image(), .svg() or .dot() functions are called, is executed by the childprocess.exec function.

PoC

const madge = require('madge'); 
madge('..', {graphVizPath: "touch HELLO;"}) .then((res) => res.svg()) .then((writtenImagePath) => { console.log('Image written to ' + writtenImagePath); });
Database specific 
{
    "severity": "HIGH",
    "github_reviewed": true,
    "nvd_published_at": "2021-03-09T19:15:00Z",
    "github_reviewed_at": "2021-03-12T21:10:53Z",
    "cwe_ids": [
        "CWE-77",
        "CWE-89"
    ]
}
References

Affected packages

npm / madge

Package

Name
madge
View open source insights on deps.dev
Purl
pkg:npm/madge

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.0.1