← volver
CVE-2021-23352

Command Injection

CVSS 8.6 HIGHEPSS 2.1%
This affects the package madge before 4.0.1. It is possible to specify a custom Graphviz path via the graphVizPath option parameter which when the .image(), .svg() or .dot() functions are called, is executed by the childprocess.exec function.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L/E:F/RL:O/RC:C
Productos afectados
n/a · madge

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →
Referencias
https://github.com/pahen/madge/blob/master/lib/graph.js%23L27https://github.com/pahen/madge/commit/da5cbc9ab30372d687fa7c324b22af7ffa5c6332https://snyk.io/vuln/SNYK-JS-MADGE-1082875