All the vulnerabilities related to the version 7.1.2 of the package
Cross-site Scripting in Mermaid
Mermaid before 8.11.0 allows XSS when the antiscript feature is used.
Prototype pollution vulnerability found in Mermaid's bundled version of DOMPurify
The following bundled files within the Mermaid NPM package contain a bundled version of DOMPurify that is vulnerable to https://github.com/cure53/DOMPurify/security/advisories/GHSA-mmhx-hmjr-r674, potentially resulting in an XSS attack.
This affects the built:
dist/mermaid.min.jsdist/mermaid.jsdist/mermaid.esm.mjsdist/mermaid.esm.min.mjsThis will also affect users that use the above files via a CDN link, e.g. https://cdn.jsdelivr.net/npm/mermaid@10.9.2/dist/mermaid.min.js
Users that use the default NPM export of mermaid, e.g. import mermaid from 'mermaid', or the dist/mermaid.core.mjs file, do not use this bundled version of DOMPurify, and can easily update using their package manager with something like npm audit fix.
develop branch: 6c785c93166c151d27d328ddf68a13d9d65adc00Incorrect sanitisation function leads to XSS in mermaid
Malicious diagrams can contain javascript code that can be run at diagram readers machines.
The users should upgrade to version 8.13.8
You need to upgrade in order to avoid this issue.
Cross-Site Scripting in mermaid
Versions of mermaid prior to 8.2.3 are vulnerable to Cross-Site Scripting. If malicious input such as A["<img src=invalid onerror=alert('XSS')></img>"] is provided to the application, it will execute the code instead of rendering it as text due to improper output encoding.
Upgrade to version 8.2.3 or later