Code Injection Affecting mdx-mermaid package, versions <1.3.0 >=2.0.0-rc1 <2.0.0-rc2
Threat Intelligence
EPSS
0.05% (19th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-MDXMERMAID-3009151
- published 30 Aug 2022
- disclosed 30 Aug 2022
- credit sjwall
Introduced: 30 Aug 2022
CVE-2022-36036 Open this link in a new tabHow to fix?
Upgrade mdx-mermaid
to version 1.3.0, 2.0.0-rc2 or higher.
Overview
mdx-mermaid is a Display mermaid diagrams in mdx files.
Affected versions of this package are vulnerable to Code Injection due to improper input validation, which makes it possible to inject malicious code inside a code block of Mermaid.spec.tsx
. Exploiting this vulnerability is possible when a component is loaded by MDXjs.
References
CVSS Scores
version 3.1