Prototype pollution vulnerability found in Mermaid's bundled version of DOMPurify
- Severity:
- High
Description
The following bundled files within the Mermaid NPM package contain a bundled version of DOMPurify that is vulnerable to https://github.com/cure53/DOMPurify/security/advisories/GHSA-mmhx-hmjr-r674, potentially resulting in an XSS attack.
Recommendation
Update the mermaid package to the latest compatible version. Followings are version details:
- Affected version(s): <= 10.9.2
- Patched version(s): 10.9.3
References
Related Issues
- Regular Expression Denial of Service (ReDoS) in lodash (GHSA-x5rq-j2xg-h7qm) 3 - CVE-2019-1010266
- Mermaid improperly sanitizes sequence diagram labels leading to XSS - CVE-2025-54881
- Mermaid does not properly sanitize architecture diagram iconText leading to XSS - CVE-2025-54880
- Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query - CVE-2025-31125
- Tags:
- npm
- mermaid
Anything's wrong? Let us know Last updated on October 23, 2024