GHSA-m4gq-x24j-jpmf: Prototype pollution vulnerability found in Mermaid's bundled version of DOMPurify
(updated )
The following bundled files within the Mermaid NPM package contain a bundled version of DOMPurify that is vulnerable to https://github.com/cure53/DOMPurify/security/advisories/GHSA-mmhx-hmjr-r674, potentially resulting in an XSS attack.
This affects the built:
dist/mermaid.min.jsdist/mermaid.jsdist/mermaid.esm.mjsdist/mermaid.esm.min.mjs
This will also affect users that use the above files via a CDN link, e.g. https://cdn.jsdelivr.net/npm/mermaid@10.9.2/dist/mermaid.min.js
Users that use the default NPM export of mermaid, e.g. import mermaid from 'mermaid', or the dist/mermaid.core.mjs file, do not use this bundled version of DOMPurify, and can easily update using their package manager with something like npm audit fix.
References
- github.com/advisories/GHSA-m4gq-x24j-jpmf
- github.com/cure53/DOMPurify/security/advisories/GHSA-mmhx-hmjr-r674
- github.com/mermaid-js/mermaid
- github.com/mermaid-js/mermaid/commit/6c785c93166c151d27d328ddf68a13d9d65adc00
- github.com/mermaid-js/mermaid/commit/92a07ffe40aab2769dd1c3431b4eb5beac282b34
- github.com/mermaid-js/mermaid/security/advisories/GHSA-m4gq-x24j-jpmf
Code Behaviors & Features
Detect and mitigate GHSA-m4gq-x24j-jpmf with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →