Description
Malicious diagrams can contain javascript code that can be run at diagram readers machines.
Recommendation
Update the mermaid package to the latest compatible version. Followings are version details:
- Affected version(s): < 8.13.8
- Patched version(s): 8.13.8
References
Related Issues
- cumulative-distribution-function Infinite Loop vulnerability - CVE-2021-29486
- Astro's bypass of image proxy domain validation leads to SSRF and potential XSS - CVE-2025-59837
- Reflected XSS from the callback handler's error query parameter - CVE-2021-32702
- Reflected XSS when using flashMessages or languageDictionary - CVE-2021-32641
- Tags:
- npm
- mermaid
Anything's wrong? Let us know Last updated on February 03, 2023