NodeJS/mermaid/7.1.2
Markdown-ish syntax for generating flowcharts, sequence diagrams, class diagrams, gantt charts and git graphs.
https://www.npmjs.com/package/mermaid
MIT
3 Security Vulnerabilities
Cross-site Scripting in Mermaid
Published date: 2021-12-10T18:57:41Z
CVE: CVE-2021-35513
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2021-35513
- https://github.com/mermaid-js/mermaid/issues/2122
- https://github.com/mermaid-js/mermaid/pull/2123
- https://github.com/mermaid-js/mermaid/pull/2123/commits/3d22fa5d2435de5acc18de6f88474a6e8675a60e
- https://github.com/mermaid-js/mermaid/releases/tag/8.11.0-rc2
- https://github.com/advisories/GHSA-4f6x-49g2-99fm
Mermaid before 8.11.0 allows XSS when the antiscript feature is used.
Affected versions:
["0.2.11", "0.2.12", "0.2.13", "0.2.14", "0.2.15", "0.2.16", "0.3.0", "0.3.2", "0.3.3", "0.3.4", "0.3.5", "0.4.0", "0.5.0", "0.5.1", "0.5.2", "0.5.3", "0.5.4", "0.5.5", "0.5.6", "0.5.7", "0.5.8", "6.0.0", "7.0.0", "7.0.1", "7.0.2", "7.0.3", "7.0.4", "7.0.5", "7.0.6", "7.0.7", "7.0.8", "7.0.9", "7.0.10", "7.0.11", "7.0.12", "7.0.13", "7.0.14", "7.0.15", "7.0.16", "7.0.17", "7.0.18", "7.1.0", "7.1.1", "7.1.2", "8.0.0-alpha.1", "8.0.0-alpha.2", "8.0.0-alpha.3", "8.0.0-alpha.4", "8.0.0-alpha.5", "8.0.0-alpha.6", "8.0.0-alpha.8", "8.0.0-alpha.9", "8.0.0-beta.1", "8.0.0-beta.2", "8.0.0-beta.3", "8.0.0-beta.4", "8.0.0-beta.5", "8.0.0-beta.6", "8.0.0-beta.7", "8.0.0-beta.8", "8.0.0-beta.9", "8.0.0-rc.1", "8.0.0-rc.2", "8.0.0-rc.3", "8.0.0-rc.4", "8.0.0-rc.5", "8.0.0-rc.6", "8.0.0-rc.7", "8.0.0-rc.8", "8.0.0", "8.1.0", "8.2.1", "8.2.2", "8.2.3", "8.2.4", "8.2.5", "8.2.6", "8.3.0", "8.3.1", "8.4.0", "8.4.1", "8.4.2", "8.4.3", "8.4.4", "8.4.5", "8.4.6", "8.4.7", "8.4.8", "8.5.0", "8.5.1", "8.5.2", "8.6.0", "8.6.1", "8.6.2", "8.6.3", "8.6.4", "8.7.0", "8.8.0", "8.8.1", "8.8.2", "8.8.3", "8.8.4", "8.9.0", "8.9.1", "8.9.2", "8.9.3", "8.10.1", "8.10.2"]
Secure versions:
[9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.2.0-rc1, 9.1.7, 9.2.0-rc2, 9.2.0-rc3, 9.2.0-rc4, 9.2.0-rc5, 9.2.0-rc6, 9.2.0-rc7, 9.2.0-rc8, 9.2.0-rc9, 9.2.0-rc10, 9.2.0, 9.2.1, 9.2.2-rc.2, 9.2.2, 9.2.3-rc.1, 9.3.0-rc.1, 9.3.0-rc.2, 9.3.0-rc.3, 9.3.0-rc.4, 9.3.0-rc.5, 9.3.0-rc.6, 9.3.0-rc.7, 9.3.0, 9.4.0-rc.1, 9.4.0-rc.2, 9.4.0, 9.4.2-rc.1, 10.0.0-rc.1, 10.0.0-rc.2, 10.0.0-rc.3, 10.0.0-rc.4, 10.0.0, 10.0.1-rc.1, 10.0.1-rc.2, 10.0.1-rc.3, 9.4.2-rc.2, 10.0.1-rc.4, 10.0.1-rc.5, 10.0.1, 10.0.2-rc.1, 10.0.2, 10.0.3-alpha.1, 9.4.2, 9.4.3, 10.1.0-rc.1, 10.1.0, 10.2.0-rc.1, 10.2.0-rc.2, 10.2.0-rc.3, 10.2.0-rc.4, 10.2.0, 10.2.1-rc.1, 10.2.1, 10.2.2, 10.2.3-rc.1, 10.2.3, 10.2.4-rc.1, 10.2.4, 10.3.0-rc.1, 10.3.0, 10.3.1, 11.0.0-alpha.1, 11.0.0-alpha.2, 11.0.0-alpha.3, 11.0.0-alpha.4, 10.4.0, 10.5.0-alpha.1, 10.5.0-rc.1, 10.5.0-rc.3, 10.5.0, 10.5.1, 10.6.0, 10.6.1, 11.0.0-alpha.5, 10.6.2-rc.1, 11.0.0-alpha.6, 10.6.2-rc.2, 10.6.2-rc.3, 10.7.0, 10.8.0, 10.9.0-rc.1, 10.9.0-rc.2, 10.9.0, 11.0.0-alpha.7]
Recommendation:
Update to version 10.9.0.
Incorrect sanitisation function leads to `XSS` in mermaid
Published date: 2022-01-06T19:45:59Z
CVE: CVE-2021-43861
Links:
- https://github.com/mermaid-js/mermaid/security/advisories/GHSA-p3rp-vmj9-gv6v
- https://nvd.nist.gov/vuln/detail/CVE-2021-43861
- https://github.com/mermaid-js/mermaid/commit/066b7a0d0bda274d94a2f2d21e4323dab5776d83
- https://github.com/mermaid-js/mermaid/releases/tag/8.13.8
- https://github.com/advisories/GHSA-p3rp-vmj9-gv6v
Impact
Malicious diagrams can contain javascript code that can be run at diagram readers machines.
Patches
The users should upgrade to version 8.13.8
Workarounds
You need to upgrade in order to avoid this issue.
Affected versions:
["0.2.11", "0.2.12", "0.2.13", "0.2.14", "0.2.15", "0.2.16", "0.3.0", "0.3.2", "0.3.3", "0.3.4", "0.3.5", "0.4.0", "0.5.0", "0.5.1", "0.5.2", "0.5.3", "0.5.4", "0.5.5", "0.5.6", "0.5.7", "0.5.8", "6.0.0", "7.0.0", "7.0.1", "7.0.2", "7.0.3", "7.0.4", "7.0.5", "7.0.6", "7.0.7", "7.0.8", "7.0.9", "7.0.10", "7.0.11", "7.0.12", "7.0.13", "7.0.14", "7.0.15", "7.0.16", "7.0.17", "7.0.18", "7.1.0", "7.1.1", "7.1.2", "8.0.0-alpha.1", "8.0.0-alpha.2", "8.0.0-alpha.3", "8.0.0-alpha.4", "8.0.0-alpha.5", "8.0.0-alpha.6", "8.0.0-alpha.8", "8.0.0-alpha.9", "8.0.0-beta.1", "8.0.0-beta.2", "8.0.0-beta.3", "8.0.0-beta.4", "8.0.0-beta.5", "8.0.0-beta.6", "8.0.0-beta.7", "8.0.0-beta.8", "8.0.0-beta.9", "8.0.0-rc.1", "8.0.0-rc.2", "8.0.0-rc.3", "8.0.0-rc.4", "8.0.0-rc.5", "8.0.0-rc.6", "8.0.0-rc.7", "8.0.0-rc.8", "8.0.0", "8.1.0", "8.2.1", "8.2.2", "8.2.3", "8.2.4", "8.2.5", "8.2.6", "8.3.0", "8.3.1", "8.4.0", "8.4.1", "8.4.2", "8.4.3", "8.4.4", "8.4.5", "8.4.6", "8.4.7", "8.4.8", "8.5.0", "8.5.1", "8.5.2", "8.6.0", "8.6.1", "8.6.2", "8.6.3", "8.6.4", "8.7.0", "8.8.0", "8.8.1", "8.8.2", "8.8.3", "8.8.4", "8.9.0", "8.9.1", "8.9.2", "8.9.3", "8.10.1", "8.10.2", "8.11.0", "8.11.1", "8.11.2", "8.11.3", "8.11.4", "8.11.5", "8.12.0", "8.12.1", "8.13.0", "8.13.1", "8.13.2", "8.13.3", "8.13.4", "8.13.5", "8.13.6", "8.13.7"]
Secure versions:
[9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.2.0-rc1, 9.1.7, 9.2.0-rc2, 9.2.0-rc3, 9.2.0-rc4, 9.2.0-rc5, 9.2.0-rc6, 9.2.0-rc7, 9.2.0-rc8, 9.2.0-rc9, 9.2.0-rc10, 9.2.0, 9.2.1, 9.2.2-rc.2, 9.2.2, 9.2.3-rc.1, 9.3.0-rc.1, 9.3.0-rc.2, 9.3.0-rc.3, 9.3.0-rc.4, 9.3.0-rc.5, 9.3.0-rc.6, 9.3.0-rc.7, 9.3.0, 9.4.0-rc.1, 9.4.0-rc.2, 9.4.0, 9.4.2-rc.1, 10.0.0-rc.1, 10.0.0-rc.2, 10.0.0-rc.3, 10.0.0-rc.4, 10.0.0, 10.0.1-rc.1, 10.0.1-rc.2, 10.0.1-rc.3, 9.4.2-rc.2, 10.0.1-rc.4, 10.0.1-rc.5, 10.0.1, 10.0.2-rc.1, 10.0.2, 10.0.3-alpha.1, 9.4.2, 9.4.3, 10.1.0-rc.1, 10.1.0, 10.2.0-rc.1, 10.2.0-rc.2, 10.2.0-rc.3, 10.2.0-rc.4, 10.2.0, 10.2.1-rc.1, 10.2.1, 10.2.2, 10.2.3-rc.1, 10.2.3, 10.2.4-rc.1, 10.2.4, 10.3.0-rc.1, 10.3.0, 10.3.1, 11.0.0-alpha.1, 11.0.0-alpha.2, 11.0.0-alpha.3, 11.0.0-alpha.4, 10.4.0, 10.5.0-alpha.1, 10.5.0-rc.1, 10.5.0-rc.3, 10.5.0, 10.5.1, 10.6.0, 10.6.1, 11.0.0-alpha.5, 10.6.2-rc.1, 11.0.0-alpha.6, 10.6.2-rc.2, 10.6.2-rc.3, 10.7.0, 10.8.0, 10.9.0-rc.1, 10.9.0-rc.2, 10.9.0, 11.0.0-alpha.7]
Recommendation:
Update to version 10.9.0.
Cross-Site Scripting in mermaid
Published date: 2020-09-02T15:41:41Z
Links:
Versions of mermaid prior to 8.2.3 are vulnerable to Cross-Site Scripting. If malicious input such as A["<img src=invalid onerror=alert('XSS')></img>"] is provided to the application, it will execute the code instead of rendering it as text due to improper output encoding.
Recommendation
Upgrade to version 8.2.3 or later
Affected versions:
["0.2.11", "0.2.12", "0.2.13", "0.2.14", "0.2.15", "0.2.16", "0.3.0", "0.3.2", "0.3.3", "0.3.4", "0.3.5", "0.4.0", "0.5.0", "0.5.1", "0.5.2", "0.5.3", "0.5.4", "0.5.5", "0.5.6", "0.5.7", "0.5.8", "6.0.0", "7.0.0", "7.0.1", "7.0.2", "7.0.3", "7.0.4", "7.0.5", "7.0.6", "7.0.7", "7.0.8", "7.0.9", "7.0.10", "7.0.11", "7.0.12", "7.0.13", "7.0.14", "7.0.15", "7.0.16", "7.0.17", "7.0.18", "7.1.0", "7.1.1", "7.1.2", "8.0.0-alpha.1", "8.0.0-alpha.2", "8.0.0-alpha.3", "8.0.0-alpha.4", "8.0.0-alpha.5", "8.0.0-alpha.6", "8.0.0-alpha.8", "8.0.0-alpha.9", "8.0.0-beta.1", "8.0.0-beta.2", "8.0.0-beta.3", "8.0.0-beta.4", "8.0.0-beta.5", "8.0.0-beta.6", "8.0.0-beta.7", "8.0.0-beta.8", "8.0.0-beta.9", "8.0.0-rc.1", "8.0.0-rc.2", "8.0.0-rc.3", "8.0.0-rc.4", "8.0.0-rc.5", "8.0.0-rc.6", "8.0.0-rc.7", "8.0.0-rc.8", "8.0.0", "8.1.0", "8.2.1", "8.2.2"]
Secure versions:
[9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.2.0-rc1, 9.1.7, 9.2.0-rc2, 9.2.0-rc3, 9.2.0-rc4, 9.2.0-rc5, 9.2.0-rc6, 9.2.0-rc7, 9.2.0-rc8, 9.2.0-rc9, 9.2.0-rc10, 9.2.0, 9.2.1, 9.2.2-rc.2, 9.2.2, 9.2.3-rc.1, 9.3.0-rc.1, 9.3.0-rc.2, 9.3.0-rc.3, 9.3.0-rc.4, 9.3.0-rc.5, 9.3.0-rc.6, 9.3.0-rc.7, 9.3.0, 9.4.0-rc.1, 9.4.0-rc.2, 9.4.0, 9.4.2-rc.1, 10.0.0-rc.1, 10.0.0-rc.2, 10.0.0-rc.3, 10.0.0-rc.4, 10.0.0, 10.0.1-rc.1, 10.0.1-rc.2, 10.0.1-rc.3, 9.4.2-rc.2, 10.0.1-rc.4, 10.0.1-rc.5, 10.0.1, 10.0.2-rc.1, 10.0.2, 10.0.3-alpha.1, 9.4.2, 9.4.3, 10.1.0-rc.1, 10.1.0, 10.2.0-rc.1, 10.2.0-rc.2, 10.2.0-rc.3, 10.2.0-rc.4, 10.2.0, 10.2.1-rc.1, 10.2.1, 10.2.2, 10.2.3-rc.1, 10.2.3, 10.2.4-rc.1, 10.2.4, 10.3.0-rc.1, 10.3.0, 10.3.1, 11.0.0-alpha.1, 11.0.0-alpha.2, 11.0.0-alpha.3, 11.0.0-alpha.4, 10.4.0, 10.5.0-alpha.1, 10.5.0-rc.1, 10.5.0-rc.3, 10.5.0, 10.5.1, 10.6.0, 10.6.1, 11.0.0-alpha.5, 10.6.2-rc.1, 11.0.0-alpha.6, 10.6.2-rc.2, 10.6.2-rc.3, 10.7.0, 10.8.0, 10.9.0-rc.1, 10.9.0-rc.2, 10.9.0, 11.0.0-alpha.7]
Recommendation:
Update to version 10.9.0.
223 Other Versions
| Version | License | Security | Released | |
|---|---|---|---|---|
| 11.0.0-alpha.7 | MIT | 2024-03-23 - 13:27 | about 1 month | |
| 11.0.0-alpha.6 | MIT | 2023-11-26 - 15:49 | 5 months | |
| 11.0.0-alpha.5 | MIT | 2023-11-24 - 08:39 | 5 months | |
| 11.0.0-alpha.4 | MIT | 2023-08-16 - 05:32 | 8 months | |
| 11.0.0-alpha.3 | MIT | 2023-08-14 - 03:42 | 8 months | |
| 11.0.0-alpha.2 | MIT | 2023-08-12 - 16:02 | 9 months | |
| 11.0.0-alpha.1 | MIT | 2023-08-12 - 10:56 | 9 months | |
| 10.9.0 | MIT | 2024-03-05 - 17:25 | about 2 months | |
| 10.9.0-rc.2 | MIT | 2024-02-29 - 03:14 | about 2 months | |
| 10.9.0-rc.1 | MIT | 2024-02-27 - 08:51 | about 2 months | |
| 10.8.0 | MIT | 2024-02-02 - 10:32 | 3 months | |
| 10.7.0 | MIT | 2024-01-15 - 09:02 | 3 months | |
| 10.6.2-rc.3 | MIT | 2024-01-11 - 04:58 | 3 months | |
| 10.6.2-rc.2 | MIT | 2023-12-04 - 06:52 | 5 months | |
| 10.6.2-rc.1 | MIT | 2023-11-24 - 08:43 | 5 months | |
| 10.6.1 | MIT | 2023-11-06 - 15:05 | 6 months | |
| 10.6.0 | MIT | 2023-10-25 - 11:29 | 6 months | |
| 10.5.1 | MIT | 2023-10-20 - 12:29 | 6 months | |
| 10.5.0 | MIT | 2023-10-02 - 08:02 | 7 months | |
| 10.5.0-rc.3 | MIT | 2023-10-02 - 07:50 | 7 months | |
| 10.5.0-rc.1 | MIT | 2023-09-14 - 08:38 | 7 months | |
| 10.5.0-alpha.1 | MIT | 2023-09-07 - 07:23 | 8 months | |
| 10.4.0 | MIT | 2023-08-25 - 12:21 | 8 months | |
| 10.3.1 | MIT | 2023-08-11 - 12:22 | 9 months | |
| 10.3.0 | MIT | 2023-07-26 - 07:47 | 9 months | |
| 10.3.0-rc.1 | MIT | 2023-07-26 - 06:07 | 9 months | |
| 10.2.4 | MIT | 2023-06-30 - 11:14 | 10 months | |
| 10.2.4-rc.1 | MIT | 2023-06-30 - 10:57 | 10 months | |
| 10.2.3 | MIT | 2023-06-08 - 14:27 | 11 months | |
| 10.2.3-rc.1 | MIT | 2023-06-08 - 14:21 | 11 months | |
| 10.2.2 | MIT | 2023-06-02 - 08:03 | 11 months | |
| 10.2.1 | MIT | 2023-06-01 - 11:11 | 11 months | |
| 10.2.1-rc.1 | MIT | 2023-06-01 - 09:22 | 11 months | |
| 10.2.0 | MIT | 2023-05-24 - 17:13 | 11 months | |
| 10.2.0-rc.4 | MIT | 2023-05-24 - 16:25 | 11 months | |
| 10.2.0-rc.3 | MIT | 2023-05-09 - 04:46 | 12 months | |
| 10.2.0-rc.2 | MIT | 2023-04-23 - 19:05 | about 1 year | |
| 10.2.0-rc.1 | MIT | 2023-04-23 - 18:52 | about 1 year | |
| 10.1.0 | MIT | 2023-04-04 - 13:17 | about 1 year | |
| 10.1.0-rc.1 | MIT | 2023-04-03 - 12:46 | about 1 year | |
| 10.0.3-alpha.1 | MIT | 2023-03-07 - 03:54 | about 1 year | |
| 10.0.2 | MIT | 2023-03-02 - 12:45 | about 1 year | |
| 10.0.2-rc.1 | MIT | 2023-03-01 - 17:45 | about 1 year | |
| 10.0.1 | MIT | 2023-03-01 - 13:17 | about 1 year | |
| 10.0.1-rc.5 | MIT | 2023-03-01 - 12:55 | about 1 year | |
| 10.0.1-rc.4 | MIT | 2023-03-01 - 08:33 | about 1 year | |
| 10.0.1-rc.3 | MIT | 2023-02-28 - 14:34 | about 1 year | |
| 10.0.1-rc.2 | MIT | 2023-02-24 - 14:16 | about 1 year | |
| 10.0.1-rc.1 | MIT | 2023-02-24 - 12:57 | about 1 year | |
| 10.0.0 | MIT | 2023-02-21 - 09:21 | about 1 year | |
| 10.0.0-rc.4 | MIT | 2023-02-19 - 17:01 | about 1 year | |
| 10.0.0-rc.3 | MIT | 2023-02-19 - 14:36 | about 1 year | |
| 10.0.0-rc.2 | MIT | 2023-02-19 - 13:05 | about 1 year | |
| 10.0.0-rc.1 | MIT | 2023-02-19 - 08:41 | about 1 year | |
| 9.4.3 | MIT | 2023-03-07 - 18:40 | about 1 year | |
| 9.4.2 | MIT | 2023-03-07 - 15:50 | about 1 year | |
| 9.4.2-rc.2 | MIT | 2023-02-28 - 16:21 | about 1 year | |
| 9.4.2-rc.1 | MIT | 2023-02-18 - 18:20 | about 1 year | |
| 9.4.0 | MIT | 2023-02-15 - 15:18 | about 1 year | |
| 9.4.0-rc.2 | MIT | 2023-02-10 - 10:12 | about 1 year | |
| 9.4.0-rc.1 | MIT | 2023-01-30 - 09:18 | about 1 year | |
| 9.3.0 | MIT | 2022-12-15 - 09:19 | over 1 year | |
| 9.3.0-rc.7 | MIT | 2022-12-15 - 03:43 | over 1 year | |
| 9.3.0-rc.6 | MIT | 2022-12-14 - 04:16 | over 1 year | |
| 9.3.0-rc.5 | MIT | 2022-12-13 - 08:13 | over 1 year | |
| 9.3.0-rc.4 | MIT | 2022-12-12 - 19:09 | over 1 year | |
| 9.3.0-rc.3 | MIT | 2022-12-12 - 18:54 | over 1 year | |
| 9.3.0-rc.2 | MIT | 2022-12-12 - 18:26 | over 1 year | |
| 9.3.0-rc.1 | MIT | 2022-12-08 - 14:12 | over 1 year | |
| 9.2.3-rc.1 | MIT | 2022-11-16 - 07:45 | over 1 year | |
| 9.2.2 | MIT | 2022-11-09 - 15:21 | over 1 year | |
| 9.2.2-rc.2 | MIT | 2022-11-09 - 09:30 | over 1 year | |
| 9.2.1 | MIT | 2022-11-08 - 15:48 | over 1 year | |
| 9.2.0 | MIT | 2022-11-01 - 14:15 | over 1 year | |
| 9.2.0-rc10 | MIT | 2022-10-28 - 07:49 | over 1 year | |
| 9.2.0-rc9 | MIT | 2022-10-24 - 08:33 | over 1 year | |
| 9.2.0-rc8 | MIT | 2022-10-20 - 04:54 | over 1 year | |
| 9.2.0-rc7 | MIT | 2022-10-19 - 06:03 | over 1 year | |
| 9.2.0-rc6 | MIT | 2022-10-14 - 13:24 | over 1 year | |
| 9.2.0-rc5 | MIT | 2022-10-12 - 07:38 | over 1 year | |
| 9.2.0-rc4 | MIT | 2022-10-11 - 09:24 | over 1 year | |
| 9.2.0-rc3 | MIT | 2022-10-11 - 07:30 | over 1 year | |
| 9.2.0-rc2 | MIT | 2022-09-28 - 11:04 | over 1 year | |
| 9.2.0-rc1 | MIT | 2022-09-09 - 13:15 | over 1 year | |
| 9.1.7 | MIT | 2022-09-13 - 17:50 | over 1 year | |
| 9.1.6 | MIT | 2022-08-18 - 18:41 | over 1 year | |
| 9.1.5 | MIT | 2022-08-11 - 18:31 | over 1 year | |
| 9.1.4 | MIT | 2022-08-04 - 18:35 | over 1 year | |
| 9.1.3 | MIT | 2022-06-28 - 18:09 | almost 2 years | |
| 9.1.2 | MIT | 2022-06-14 - 17:33 | almost 2 years | |
| 9.1.1 | MIT | 1 | 2022-05-11 - 12:27 | almost 2 years |
| 9.1.0 | MIT | 1 | 2022-05-10 - 16:44 | almost 2 years |
| 9.0.1 | MIT | 1 | 2022-04-21 - 20:05 | about 2 years |
| 9.0.0 | MIT | 1 | 2022-04-07 - 18:44 | about 2 years |
| 8.14.0 | MIT | 1 | 2022-02-10 - 17:52 | about 2 years |
| 8.14.0-rc1 | MIT | 1 | 2022-01-22 - 12:33 | over 2 years |
| 8.13.10 | MIT | 1 | 2022-01-22 - 09:07 | over 2 years |
| 8.13.9 | MIT | 1 | 2022-01-16 - 15:07 | over 2 years |
| 8.13.8 | MIT | 1 | 2021-12-29 - 10:23 | over 2 years |
| 8.13.7 | MIT | 2 | 2021-12-23 - 10:18 | over 2 years |