Zsxsoft

**Name of the Vulnerable Software and Affected Versions** Mermaid versions prior to 10.9.6 Mermaid versions 11.0.0-alpha.1 through 11.14.0 **Description** Mermaid is a JavaScript tool that uses Markdown-inspired text to create and modify diagrams and charts. Under the default configuration, the `classDef` directive in state diagrams allows HTML injection that escapes the SVG context, leading to DOM injection. While `<script>` tags are stripped to prevent cross-site scripting (XSS), the issue still allows for the injection of arbitrary HTML elements into the Document Object Model (DOM), which is the programming interface for HTML and XML documents. **Recommendations** Update to version 10.9.6. Update to version 11.15.0. As a temporary workaround, set `securityLevel` to `sandbox` to render diagrams in a sandboxed `<iframe>`.

**Name of the Vulnerable Software and Affected Versions** Mermaid versions prior to 11.15.0 Mermaid versions prior to 10.9.6 **Description** Default configuration allows the injection of CSS that applies outside of the Mermaid diagram. This occurs through the `fontFamily`, `themeCSS`, and `altFontFamily` configuration options, exploiting how stylis handles scope references. Specifically, using `:not(&)` escapes automatic scoping, allowing styles to be applied to all page elements. Additionally, global at-rules such as `@font-face`, `@keyframes`, and `@counter-style` can be injected as they are hoisted to the top level. This can lead to page defacement and the exfiltration of DOM attributes using CSS `:has()` selectors. **Recommendations** Update to version 11.15.0 or later. Update to version 10.9.6 or later. Set the `secure` configuration value to avoid allowing diagrams to modify `fontFamily`, `themeCSS`, `altFontFamily`, and `themeVariables`. Set `securityLevel` to `sandbox` to prevent the issue.