Name of the Vulnerable Software and Affected Versions Mermaid versions prior to the version containing the fix for the DOMPurify vulnerability

Description The Mermaid NPM package contains a vulnerable version of DOMPurify, potentially resulting in an XSS attack. This issue affects users who use certain bundled files, such as dist/mermaid.min.js, dist/mermaid.js, dist/mermaid.esm.mjs, and dist/mermaid.esm.min.mjs, either directly or via a CDN link. Users who use the default NPM export of mermaid or the dist/mermaid.core.mjs file are not affected.

Recommendations For versions prior to the fixed version, update the Mermaid package using a package manager, such as npm audit fix, to obtain the patched version. As a temporary workaround, consider avoiding the use of the bundled files that contain the vulnerable DOMPurify version.