CVE-2021-43861 — Improper Input Validation in Mermaid

CWE-20 — Improper Input Validation CWE-79 — Cross-site Scripting5 documents4 sources

Severity

5.4MEDIUMNVD

EPSS

0.5%

top 34.26%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mermaid-js Mermaid Mermaid Project Mermaid Debian Node-mermaid

Timeline

PublishedDec 30

Latest updateJan 6

Description

Mermaid is a Javascript based diagramming and charting tool that uses Markdown-inspired text definitions and a renderer to create and modify complex diagrams. Prior to version 8.13.8, malicious diagrams can run javascript code at diagram readers' machines. Users should upgrade to version 8.13.8 to receive a patch. There are no known workarounds aside from upgrading.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages4 packages

▶CVEListV5mermaid-js/mermaid< 8.13.8

▶debiandebian/node-mermaid< node-mermaid 8.7.0+ds+~cs27.17.17-3+deb11u2 (bullseye)

▶NVDmermaid_project/mermaid< 8.13.8

▶npmmermaid_project/mermaid< 8.13.8

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Incorrect sanitisation function leads to `XSS` in mermaid↗2022-01-06

▶

GHSA

Incorrect sanitisation function leads to `XSS` in mermaid↗2022-01-06

▶

OSV

CVE-2021-43861: Mermaid is a Javascript based diagramming and charting tool that uses Markdown-inspired text definitions and a renderer to create and modify complex d↗2021-12-30

▶

📋Vendor Advisories

Debian

CVE-2021-43861: node-mermaid - Mermaid is a Javascript based diagramming and charting tool that uses Markdown-i...↗2021

▶