CVE-2021-23352 – CVE-2021-23352 is a command injection vulnerabi... (How to Fix)

Q: What is the severity of CVE-2021-23352?

CVE-2021-23352 has a CVSS score of 8.6 (HIGH). CVE-2021-23352 is a command injection vulnerability in the madge package that allows attackers to execute arbitrary commands on the host system. This occurs when user-controlled input is passed to the graphVizPath option parameter, which gets executed via childprocess.exec. Anyone using madge versions before 4.0.1 with untrusted input is affected.

📋 TL;DR

CVE-2021-23352 is a command injection vulnerability in the madge package that allows attackers to execute arbitrary commands on the host system. This occurs when user-controlled input is passed to the graphVizPath option parameter, which gets executed via childprocess.exec. Anyone using madge versions before 4.0.1 with untrusted input is affected.

💻 Affected Systems

Products:

madge

Versions: All versions before 4.0.1

Operating Systems: All operating systems running Node.js

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when using custom graphVizPath parameter with untrusted input. Default configuration without custom path is not vulnerable.

📦 What is this software?

Madge by Madge Project

View all CVEs affecting Madge →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with remote code execution leading to data theft, ransomware deployment, or complete system takeover.

🟠

Likely Case

Local privilege escalation or execution of arbitrary commands within the application context, potentially leading to lateral movement.

🟢

If Mitigated

Limited impact with proper input validation and sandboxing, potentially only affecting the application's own data.

🌐 Internet-Facing: MEDIUM - Requires user input to be passed to vulnerable functions, but web applications using madge could be exposed.

🏢 Internal Only: HIGH - Development environments and CI/CD pipelines using madge are common targets for supply chain attacks.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires the ability to control the graphVizPath parameter. Public proof-of-concept demonstrates command injection.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.0.1

Vendor Advisory: https://github.com/pahen/madge/security/advisories/GHSA-5q88-cjfq-g2mh

Restart Required: No

Instructions:

1. Update madge package to version 4.0.1 or later using npm update madge. 2. Verify the update with npm list madge. 3. Test application functionality with the updated version.

🔧 Temporary Workarounds

Input validation and sanitization

all

Validate and sanitize all user input passed to graphVizPath parameter before processing.

Implement input validation in application code to restrict graphVizPath to safe values

Use safe exec functions

all

Replace childprocess.exec with childprocess.execFile or spawn with proper argument handling.

Modify lib/graph.js to use execFile instead of exec

🧯 If You Can't Patch

Implement strict input validation for graphVizPath parameter to only allow trusted, predefined paths.
Run madge in a sandboxed environment with minimal privileges and network access.

🔍 How to Verify

Check if Vulnerable:

Check package.json for madge version <4.0.1 or run npm list madge and verify version.

Check Version:

npm list madge | grep madge

Verify Fix Applied:

Confirm madge version is 4.0.1 or higher using npm list madge and test that custom graphVizPath no longer executes arbitrary commands.

📡 Detection & Monitoring

Log Indicators:

Unusual child process executions from Node.js applications
Commands with unexpected arguments in process logs

Network Indicators:

Unexpected outbound connections from development or build systems

SIEM Query:

process.name:node AND process.args:*graphVizPath* AND process.parent.name:node

📊 Metadata

CVE ID: CVE-2021-23352

CVSS v3 Score: 8.6 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

CWE: CWE-89

Published: March 9, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/pahen/madge/blob/master/lib/graph.js%23L27 Broken Link,Third Party Advisory
https://github.com/pahen/madge/commit/da5cbc9ab30372d687fa7c324b22af7ffa5c6332 Patch,Third Party Advisory
https://snyk.io/vuln/SNYK-JS-MADGE-1082875 Exploit,Patch,Third Party Advisory
https://github.com/pahen/madge/blob/master/lib/graph.js%23L27 Broken Link,Third Party Advisory
https://github.com/pahen/madge/commit/da5cbc9ab30372d687fa7c324b22af7ffa5c6332 Patch,Third Party Advisory
https://snyk.io/vuln/SNYK-JS-MADGE-1082875 Exploit,Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-23352, you might also want to check these: