CVE-2022-31108

Name of the Vulnerable Software and Affected Versions Mermaid versions prior to 9.1.3

Description Mermaid is a JavaScript-based diagramming and charting tool that uses Markdown-inspired text definitions and a renderer to create and modify complex diagrams. An attacker can inject arbitrary CSS into the generated graph, allowing them to change the styling of elements outside of the generated graph and potentially exfiltrate sensitive information by using specially crafted CSS selectors. This issue may lead to Information Disclosure via CSS selectors and functions able to generate HTTP requests, and also allows an attacker to change the document in ways that may lead a user to perform unintended actions.

Recommendations For versions prior to 9.1.3, ensure that user input is adequately escaped before embedding it in CSS blocks. As a temporary workaround, consider restricting the use of user-inputted CSS until a patch is available. Users are advised to upgrade to version 9.1.3 or later to resolve the issue. If upgrading is not possible, users should ensure that all user input is properly sanitized to prevent arbitrary CSS injection.