The following bundled files within the Mermaid NPM package contain a bundled version of DOMPurify that is vulnerable to GHSA-mmhx-hmjr-r674, potentially resulting in an XSS attack.
This affects the built:
dist/mermaid.min.jsdist/mermaid.jsdist/mermaid.esm.mjsdist/mermaid.esm.min.mjs
This will also affect users that use the above files via a CDN link, e.g. https://cdn.jsdelivr.net/npm/[email protected]/dist/mermaid.min.js
Users that use the default NPM export of mermaid, e.g. import mermaid from 'mermaid', or the dist/mermaid.core.mjs file, do not use this bundled version of DOMPurify, and can easily update using their package manager with something like npm audit fix.
Patches
aloisklink Remediation developer
sidharthv96 Remediation reviewer
ashishjain0512 Remediation reviewer
mlevy-parasoft Reporter
The following bundled files within the Mermaid NPM package contain a bundled version of DOMPurify that is vulnerable to GHSA-mmhx-hmjr-r674, potentially resulting in an XSS attack.
This affects the built:
dist/mermaid.min.jsdist/mermaid.jsdist/mermaid.esm.mjsdist/mermaid.esm.min.mjsThis will also affect users that use the above files via a CDN link, e.g.
https://cdn.jsdelivr.net/npm/[email protected]/dist/mermaid.min.jsUsers that use the default NPM export of
mermaid, e.g.import mermaid from 'mermaid', or thedist/mermaid.core.mjsfile, do not use this bundled version of DOMPurify, and can easily update using their package manager with something likenpm audit fix.Patches
developbranch: 6c785c9