7

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-m4gq-x24j-jpmf

EPSS Score

CWE

CWE-1321

Published

10/22/2024

Updated

10/23/2024

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-m4gq-x24j-jpmf

GHSA-m4gq-x24j-jpmf: Prototype pollution vulnerability found in Mermaid's bundled version of DOMPurify

The following bundled files within the Mermaid NPM package contain a bundled version of DOMPurify that is vulnerable to https://github.com/cure53/DOMPurify/security/advisories/GHSA-mmhx-hmjr-r674, potentially resulting in an XSS attack.

This affects the built:

dist/mermaid.min.js
dist/mermaid.js
dist/mermaid.esm.mjs
dist/mermaid.esm.min.mjs

This will also affect users that use the above files via a CDN link, e.g. https://cdn.jsdelivr.net/npm/mermaid@10.9.2/dist/mermaid.min.js

Users that use the default NPM export of mermaid, e.g. import mermaid from 'mermaid', or the dist/mermaid.core.mjs file, do not use this bundled version of DOMPurify, and can easily update using their package manager with something like npm audit fix.

Patches

develop branch: 6c785c93166c151d27d328ddf68a13d9d65adc00
backport to v10: 92a07ffe40aab2769dd1c3431b4eb5beac282b34

(GitHub Advisory)

7

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-m4gq-x24j-jpmf

EPSS Score

CWE

CWE-1321

Published

10/22/2024

Updated

10/23/2024

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
mermaid	npm	<= 10.9.2	10.9.3

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from Mermaid's bundled DOMPurify version being <3.1.3. The root cause is DOMPurify's sanitize() function failing to properly handle prototype pollution vectors through nested HTML elements and improper depth checking. While Mermaid's own code isn't directly vulnerable, the bundled dependency's sanitization function becomes the attack surface. The patch confirms this by updating DOMPurify to a secure version without modifying Mermaid's own logic.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** *ollowin* *un*l** *il*s wit*in t** M*rm*i* NPM p**k*** *ont*in * *un*l** v*rsion o* *OMPuri*y t**t is vuln*r**l* to *ttps://*it*u*.*om/*ur***/*OMPuri*y/s**urity/**visori*s/**S*-mm*x-*mjr-r***, pot*nti*lly r*sultin* in *n XSS *tt**k. T*is *****ts

Reasoning

T** vuln*r**ility st*ms *rom M*rm*i*'s *un*l** `*OMPuri*y` v*rsion **in* <*.*.*. T** root **us* is `*OMPuri*y`'s `s*nitiz*()` *un*tion **ilin* to prop*rly **n*l* prototyp* pollution v**tors t*rou** n*st** *TML *l*m*nts *n* improp*r **pt* ****kin*. W*

7

Basic Information

Concerned about an active attack path?

GHSA-m4gq-x24j-jpmf: Prototype pollution vulnerability found in Mermaid's bundled version of DOMPurify

Patches

7

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI