Mermaid is a Javascript based diagramming and charting tool that uses Markdown-inspired text definitions and a renderer to create and modify complex diagrams. Prior to version 8.13.8, malicious diagrams can run javascript code at diagram readers' machines. Users should upgrade to version 8.13.8 to receive a patch. There are no known workarounds aside from upgrading.
CVE-2021-43861 - High Severity Vulnerability
Vulnerable Libraries - mermaid-8.0.0-rc.8.min.js, mermaid-8.0.0-rc.8.js
mermaid-8.0.0-rc.8.min.js
Markdownish syntax for generating flowcharts, sequence diagrams, class diagrams and gantt charts.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/mermaid/8.0.0-rc.8/mermaid.min.js
Path to vulnerable library: /public/mermaid/mermaid.min.js
Dependency Hierarchy: - :x: **mermaid-8.0.0-rc.8.min.js** (Vulnerable Library)
mermaid-8.0.0-rc.8.js
Markdownish syntax for generating flowcharts, sequence diagrams, class diagrams and gantt charts.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/mermaid/8.0.0-rc.8/mermaid.js
Path to vulnerable library: /public/mermaid/mermaid.js
Dependency Hierarchy: - :x: **mermaid-8.0.0-rc.8.js** (Vulnerable Library)
Found in HEAD commit: 86334f0df744f6cfa35a438987cbb4d18d65b5c2
Found in base branch: master
Vulnerability Details
Mermaid is a Javascript based diagramming and charting tool that uses Markdown-inspired text definitions and a renderer to create and modify complex diagrams. Prior to version 8.13.8, malicious diagrams can run javascript code at diagram readers' machines. Users should upgrade to version 8.13.8 to receive a patch. There are no known workarounds aside from upgrading.
Publish Date: 2021-12-30
URL: CVE-2021-43861
CVSS 3 Score Details (7.2)
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: High - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43861
Release Date: 2021-12-30
Fix Resolution: mermaid - 8.13.8