GHSA-m4gq-x24j-jpmf

Suggest an improvement
Source
https://github.com/advisories/GHSA-m4gq-x24j-jpmf
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-m4gq-x24j-jpmf/GHSA-m4gq-x24j-jpmf.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-m4gq-x24j-jpmf
Published
2024-10-22T18:17:02Z
Modified
2024-10-23T14:24:24Z
Severity
  • 7.0 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L CVSS Calculator
Summary
Prototype pollution vulnerability found in Mermaid's bundled version of DOMPurify
Details

The following bundled files within the Mermaid NPM package contain a bundled version of DOMPurify that is vulnerable to https://github.com/cure53/DOMPurify/security/advisories/GHSA-mmhx-hmjr-r674, potentially resulting in an XSS attack.

This affects the built:

  • dist/mermaid.min.js
  • dist/mermaid.js
  • dist/mermaid.esm.mjs
  • dist/mermaid.esm.min.mjs

This will also affect users that use the above files via a CDN link, e.g. https://cdn.jsdelivr.net/npm/mermaid@10.9.2/dist/mermaid.min.js

Users that use the default NPM export of mermaid, e.g. import mermaid from 'mermaid', or the dist/mermaid.core.mjs file, do not use this bundled version of DOMPurify, and can easily update using their package manager with something like npm audit fix.

Patches

  • develop branch: 6c785c93166c151d27d328ddf68a13d9d65adc00
  • backport to v10: 92a07ffe40aab2769dd1c3431b4eb5beac282b34
Database specific 
{
    "nvd_published_at": null,
    "github_reviewed": true,
    "github_reviewed_at": "2024-10-22T18:17:02Z",
    "severity": "HIGH",
    "cwe_ids": [
        "CWE-1321",
        "CWE-1395"
    ]
}
References

Affected packages

npm / mermaid

Package

Name
mermaid
View open source insights on deps.dev
Purl
pkg:npm/mermaid

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
10.9.3

Database specific

last_known_affected_version_range

"<= 10.9.2"