The following bundled files within the Mermaid NPM package contain a bundled version of DOMPurify that is vulnerable to GHSA-mmhx-hmjr-r674, potentially resulting in an XSS attack.
This affects the built:
dist/mermaid.min.js
dist/mermaid.js
dist/mermaid.esm.mjs
dist/mermaid.esm.min.mjs
This will also affect users that use the above files via a CDN link, e.g. https://cdn.jsdelivr.net/npm/mermaid@10.9.2/dist/mermaid.min.js
Users that use the default NPM export of mermaid
, e.g. import mermaid from 'mermaid'
, or the dist/mermaid.core.mjs
file, do not use this bundled version of DOMPurify, and can easily update using their package manager with something like npm audit fix
.
Patches
develop
branch: 6c785c93166c151d27d328ddf68a13d9d65adc00
- backport to v10: 92a07ffe40aab2769dd1c3431b4eb5beac282b34
References
The following bundled files within the Mermaid NPM package contain a bundled version of DOMPurify that is vulnerable to GHSA-mmhx-hmjr-r674, potentially resulting in an XSS attack.
This affects the built:
dist/mermaid.min.js
dist/mermaid.js
dist/mermaid.esm.mjs
dist/mermaid.esm.min.mjs
This will also affect users that use the above files via a CDN link, e.g.
https://cdn.jsdelivr.net/npm/mermaid@10.9.2/dist/mermaid.min.js
Users that use the default NPM export of
mermaid
, e.g.import mermaid from 'mermaid'
, or thedist/mermaid.core.mjs
file, do not use this bundled version of DOMPurify, and can easily update using their package manager with something likenpm audit fix
.Patches
develop
branch: 6c785c93166c151d27d328ddf68a13d9d65adc00References