Headline
GHSA-m4gq-x24j-jpmf: Mermaid allows prototype pollution in bundled version of DOMPurify
The following bundled files within the Mermaid NPM package contain a bundled version of DOMPurify that is vulnerable to https://github.com/cure53/DOMPurify/security/advisories/GHSA-mmhx-hmjr-r674, potentially resulting in an XSS attack.
This affects the built:
dist/mermaid.min.jsdist/mermaid.jsdist/mermaid.esm.mjsdist/mermaid.esm.min.mjs
This will also affect users that use the above files via a CDN link, e.g. https://cdn.jsdelivr.net/npm/[email protected]/dist/mermaid.min.js
Users that use the default NPM export of mermaid, e.g. import mermaid from 'mermaid', or the dist/mermaid.core.mjs file, do not use this bundled version of DOMPurify, and can easily update using their package manager with something like npm audit fix.
Patches
developbranch: 6c785c93166c151d27d328ddf68a13d9d65adc00- backport to v10: 92a07ffe40aab2769dd1c3431b4eb5beac282b34
The following bundled files within the Mermaid NPM package contain a bundled version of DOMPurify that is vulnerable to GHSA-mmhx-hmjr-r674, potentially resulting in an XSS attack.
This affects the built:
- dist/mermaid.min.js
- dist/mermaid.js
- dist/mermaid.esm.mjs
- dist/mermaid.esm.min.mjs
This will also affect users that use the above files via a CDN link, e.g. https://cdn.jsdelivr.net/npm/[email protected]/dist/mermaid.min.js
Users that use the default NPM export of mermaid, e.g. import mermaid from 'mermaid’, or the dist/mermaid.core.mjs file, do not use this bundled version of DOMPurify, and can easily update using their package manager with something like npm audit fix.
Patches
- develop branch: 6c785c93166c151d27d328ddf68a13d9d65adc00
- backport to v10: 92a07ffe40aab2769dd1c3431b4eb5beac282b34
References
- GHSA-mmhx-hmjr-r674
- GHSA-m4gq-x24j-jpmf
- mermaid-js/mermaid@6c785c9
- mermaid-js/mermaid@92a07ff