CVE-2021-35513

Vulnerability

Mermaid before 8.11.0 contains a cross-site scripting (XSS) vulnerability in the antiscript feature. The antiscript feature is designed to block potentially dangerous URLs in diagram flowcharts and links, but it fails to properly sanitize javascript: URLs. This allows an attacker to inject arbitrary JavaScript code that executes in the context of the application using Mermaid. The vulnerability exists in all versions prior to 8.11.0 and was fixed in the pull request referenced as [1].

Exploitation

An attacker can exploit this vulnerability by crafting a Mermaid diagram that includes a link with a javascript: URL. For example, a flowchart node could have a click event pointing to javascript:alert(document.domain). When the diagram is rendered by Mermaid, the link will execute the attacker's JavaScript code in the user's browser. The attacker does not need any special network position or authentication, as the diagram is typically rendered client-side. User interaction may be required if the link only triggers on click, but the attacker can design the diagram to execute automatically without user interaction [2].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the web application that renders the Mermaid diagram. This can lead to full cross-site scripting (XSS) consequences: session hijacking, data theft, defacement, or further malicious actions on behalf of the victim user. The impact is limited to the security context of the hosting application, which may have restricted privileges [3].

Mitigation

The vulnerability is fixed in Mermaid version 8.11.0, released on February 15, 2021. Users should upgrade to this version or later. The fix was implemented in pull request [1], which adds proper sanitization of javascript: URLs in the antiscript feature. No workaround is available for versions prior to 8.11.0 other than upgrading. This CVE is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date.