Possible inject arbitrary `CSS` into the generated graph affecting the container HTML
- Severity:
- Medium
Description
An attacker is able to inject arbitrary CSS into the generated graph allowing them to change the styling of elements outside of the generated graph, and potentially exfiltrate sensitive information by using specially crafted CSS selectors.
Recommendation
Update the mermaid package to the latest compatible version. Followings are version details:
- Affected version(s): >= 8.0.0, < 9.1.2
- Patched version(s): 9.1.2
References
Related Issues
- Mermaid: Improper sanitization of `classDefs` in diagrams leads to CSS injection - CVE-2026-41148
- Sanitize-html Vulnerable To REDoS Attacks - CVE-2022-25887
- Unsanitized JavaScript code injection possible in gatsby-plugin-mdx - CVE-2022-25863
- Raneto Denial of Service via crafted payload injected into `Search` parameter - CVE-2022-35142
You might also like:
- Tags:
- npm
- mermaid
Anything's wrong? Let us know Last updated on July 21, 2023


