The following bundled files within the Mermaid NPM package contain a bundled version of DOMPurify that is vulnerable to GHSA-mmhx-hmjr-r674, potentially resulting in an XSS attack.
This affects the built:
dist/mermaid.min.jsdist/mermaid.jsdist/mermaid.esm.mjsdist/mermaid.esm.min.mjs
This will also affect users that use the above files via a CDN link, e.g. https://cdn.jsdelivr.net/npm/[email protected]/dist/mermaid.min.js
Users that use the default NPM export of mermaid, e.g. import mermaid from 'mermaid', or the dist/mermaid.core.mjs file, do not use this bundled version of DOMPurify, and can easily update using their package manager with something like npm audit fix.
Patches
develop branch: 6c785c93166c151d27d328ddf68a13d9d65adc00- backport to v10: 92a07ffe40aab2769dd1c3431b4eb5beac282b34
References
aloisklink Remediation developer
sidharthv96 Remediation reviewer
ashishjain0512 Remediation reviewer
mlevy-parasoft Reporter
byt3n33dl3 Analyst
The following bundled files within the Mermaid NPM package contain a bundled version of DOMPurify that is vulnerable to GHSA-mmhx-hmjr-r674, potentially resulting in an XSS attack.
This affects the built:
dist/mermaid.min.jsdist/mermaid.jsdist/mermaid.esm.mjsdist/mermaid.esm.min.mjsThis will also affect users that use the above files via a CDN link, e.g.
https://cdn.jsdelivr.net/npm/[email protected]/dist/mermaid.min.jsUsers that use the default NPM export of
mermaid, e.g.import mermaid from 'mermaid', or thedist/mermaid.core.mjsfile, do not use this bundled version of DOMPurify, and can easily update using their package manager with something likenpm audit fix.Patches
developbranch: 6c785c93166c151d27d328ddf68a13d9d65adc00References