Commit c5b1784
authored
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?v=4&size=40){kind=avatar}
fix(security): update dependency mermaid to v11.10.0 [security] (#1255)
This PR contains the following updates:
| Package | Change | Age | Confidence |
|---|---|---|---|
| [mermaid](https://redirect.github.com/mermaid-js/mermaid) | [`11.8.0`
-> `11.10.0`](https://renovatebot.com/diffs/npm/mermaid/11.8.0/11.10.0)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
### GitHub Vulnerability Alerts
####
[CVE-2025-54880](https://redirect.github.com/mermaid-js/mermaid/security/advisories/GHSA-8gwm-58g9-j8pw)
### Summary
In the default configuration of mermaid 11.9.0, user supplied input for
architecture diagram icons is passed to the d3 `html()` method, creating
a sink for cross site scripting.
### Details
Architecture diagram service `iconText` values are passed to the d3
`html()` method, allowing malicious users to inject arbitrary HTML and
cause XSS when mermaid-js is used in it's default configuration.
The vulnerability lies here:
```ts
export const drawServices = async function (
db: ArchitectureDB,
elem: D3Element,
services: ArchitectureService[]
): Promise<number> {
for (const service of services) {
/** ... **/
} else if (service.iconText) {
bkgElem.html(
`<g>${await getIconSVG('blank', { height: iconSize, width: iconSize, fallbackPrefix: architectureIcons.prefix })}</g>`
);
const textElemContainer = bkgElem.append('g');
const fo = textElemContainer
.append('foreignObject')
.attr('width', iconSize)
.attr('height', iconSize);
const divElem = fo
.append('div')
.attr('class', 'node-icon-text')
.attr('style', `height: ${iconSize}px;`)
.append('div')
.html(service.iconText); // <- iconText passed into innerHTML
/** ... **/
};
};
```
This issue was introduced with 734bde38777c9190a5a72e96421c83424442d4e4,
around 15 months ago, which was released in
[v11.1.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.1.0).
### PoC
Render the following diagram and observe the modified DOM.
```
architecture-beta
group api(cloud)[API]
service db "<img src=x onerror=\"document.write(`xss on ${document.domain}`)\">" [Database] in api
```
Here is a PoC on mermaid.live:
https://mermaid.live/edit#pako:eNo9T8FOwzAM_ZXI4rBJpWrpRtuIISF24caZZdKyxOsiLUnlJjCo-u9kQ8wX-_n5-dkjKK8ROEhSRxNQhUh4v8cghWMpOvKxZ7I3M3XyUc83L-9v2z9qQPo0CpneMwFPxnZsILU6M--QyNNKCAHaq2jRhfyL0vLZ7jwMiWd3443Q3krjpt38Mv4sgG3WMsi9HHDLjLs4CwcZdGQ08EARM7BISZMgjJdLBIQjWhTAU6nxIOMpCBBuSrJeug_v7b8yPdMdgR_kaUgo9loGXBvZkbS3LqHTSK8-ugC8LMrrEuAjnIEvlnlVL9q6rZu6Lh-rRQbfwKuyyZuybcvqIaWiqKcMfq6uRd7Uy-kXhYFzcA
### Impact
XSS on all sites that use mermaid and render user supplied diagrams
without further sanitization.
### Remediation
Sanitize the value of `iconText` before passing it to `html()`.
####
[CVE-2025-54881](https://redirect.github.com/mermaid-js/mermaid/security/advisories/GHSA-7rqq-prvp-x9jh)
### Summary
In the default configuration of mermaid 11.9.0, user supplied input for
sequence diagram labels is passed to `innerHTML` during calculation of
element size, causing XSS.
### Details
Sequence diagram node labels with KaTeX delimiters are passed through
`calculateMathMLDimensions`. This method passes the full label to
`innerHTML` which allows allows malicious users to inject arbitrary HTML
and cause XSS when mermaid-js is used in it's default configuration
(with KaTeX support enabled).
The vulnerability lies here:
```ts
export const calculateMathMLDimensions = async (text: string, config: MermaidConfig) => {
text = await renderKatex(text, config);
const divElem = document.createElement('div');
divElem.innerHTML = text; // XSS sink, text has not been sanitized.
divElem.id = 'katex-temp';
divElem.style.visibility = 'hidden';
divElem.style.position = 'absolute';
divElem.style.top = '0';
const body = document.querySelector('body');
body?.insertAdjacentElement('beforeend', divElem);
const dim = { width: divElem.clientWidth, height: divElem.clientHeight };
divElem.remove();
return dim;
};
```
The `calculateMathMLDimensions` method was introduced in
5c69e5fdb004a6d0a2abe97e23d26e223a059832 two years ago, which was
released in [Mermaid
10.9.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.0).
### PoC
Render the following diagram and observe the modified DOM.
```
sequenceDiagram
participant A as Alice<img src="x" onerror="document.write(`xss on ${document.domain}`)">$$\\text{Alice}$$
A->>John: Hello John, how are you?
Alice-)John: See you later!
```
Here is a PoC on mermaid.live:
https://mermaid.live/edit#pako:eNpVUMtOwzAQ_BWzyoFKaRTyaFILiio4IK7ckA-1km1iKbaLY6spUf4dJ0AF68uOZ2dm7REqXSNQ6PHDoarwWfDGcMkUudaJGysqceLKkj3hPdl3osJ7IRvSm-qBwcCAaIXGaONRrSsnUdnobITF28PQ954lwXglai25UNNhxWAXBMyXxcGOi-3kL_5k79e73atuFSUv2HWazH1IWn0m3CC5aPf4b3p2WK--BW-4DJCOWzQ3TM0HQmiMqIFa4zAEicZv4iGMsw0D26JEBtS3NR656ywDpiYv869_11r-Ko12TQv0yLveI3eqfcjP111HUNVonrRTFuhdsVgAHWEAmuRxlG7SuEzKMi-yJAnhAjTLIk_EcbFJtuk2y9MphM8lM47KIp--AOZghtU
### Impact
XSS on all sites that use mermaid and render user supplied diagrams
without further sanitization.
### Remediation
The value of the `text` argument for the `calculateMathMLDimensions`
method needs to be sanitized before getting passed on to `innerHTML`.
---
### Release Notes
<details>
<summary>mermaid-js/mermaid (mermaid)</summary>
###
[`v11.10.0`](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.10.0)
[Compare
Source](https://redirect.github.com/mermaid-js/mermaid/compare/[email protected]@11.10.0)
##### Minor Changes
-
[#​6744](https://redirect.github.com/mermaid-js/mermaid/pull/6744)
[`daf8d8d`](https://redirect.github.com/mermaid-js/mermaid/commit/daf8d8d3befcd600618a629977b76463b38d0ad9)
Thanks [@​SpecularAura](https://redirect.github.com/SpecularAura)!
- feat: Added support for per link curve styling in flowchart diagram
using edge ids
##### Patch Changes
-
[#​6857](https://redirect.github.com/mermaid-js/mermaid/pull/6857)
[`b9ef683`](https://redirect.github.com/mermaid-js/mermaid/commit/b9ef683fb67b8959abc455d6cc5266c37ba435f6)
Thanks [@​knsv](https://redirect.github.com/knsv)! - feat:
Exposing elk configuration forceNodeModelOrder and considerModelOrder to
the mermaid configuration
-
[#​6653](https://redirect.github.com/mermaid-js/mermaid/pull/6653)
[`2c0931d`](https://redirect.github.com/mermaid-js/mermaid/commit/2c0931da46794b49d2523211e25f782900c34e94)
Thanks [@​darshanr0107](https://redirect.github.com/darshanr0107)!
- chore: Remove the "-beta" suffix from the XYChart, Block, Sankey
diagrams to reflect their stable status
-
[#​6683](https://redirect.github.com/mermaid-js/mermaid/pull/6683)
[`33e08da`](https://redirect.github.com/mermaid-js/mermaid/commit/33e08daf175125295a06b1b80279437004a4e865)
Thanks [@​darshanr0107](https://redirect.github.com/darshanr0107)!
- fix: Position the edge label in state diagram correctly relative to
the edge
-
[#​6693](https://redirect.github.com/mermaid-js/mermaid/pull/6693)
[`814b68b`](https://redirect.github.com/mermaid-js/mermaid/commit/814b68b4a94813f7c6b3d7fb4559532a7bab2652)
Thanks [@​darshanr0107](https://redirect.github.com/darshanr0107)!
- fix: Apply correct dateFormat in Gantt chart to show only day when
specified
-
[#​6734](https://redirect.github.com/mermaid-js/mermaid/pull/6734)
[`fce7cab`](https://redirect.github.com/mermaid-js/mermaid/commit/fce7cabb71d68a20a66246fe23d066512126a412)
Thanks [@​darshanr0107](https://redirect.github.com/darshanr0107)!
- fix: handle exclude dates properly in Gantt charts when using
dateFormat: 'YYYY-MM-DD HH:mm:ss'
-
[#​6733](https://redirect.github.com/mermaid-js/mermaid/pull/6733)
[`fc07f0d`](https://redirect.github.com/mermaid-js/mermaid/commit/fc07f0d8abca49e4f887d7457b7b94fb07d1e3da)
Thanks [@​omkarht](https://redirect.github.com/omkarht)! - fix:
fixed connection gaps in flowchart for roundedRect, stadium and diamond
shape
-
[#​6876](https://redirect.github.com/mermaid-js/mermaid/pull/6876)
[`12e01bd`](https://redirect.github.com/mermaid-js/mermaid/commit/12e01bdb5cacf3569133979a5a4f1d8973e9aec1)
Thanks [@​sidharthv96](https://redirect.github.com/sidharthv96)! -
fix: sanitize icon labels and icon SVGs
Resolves CVE-2025-54880 reported by
[@​fourcube](https://redirect.github.com/fourcube)
-
[#​6801](https://redirect.github.com/mermaid-js/mermaid/pull/6801)
[`01aaef3`](https://redirect.github.com/mermaid-js/mermaid/commit/01aaef39b4a1ec8bc5a0c6bfa3a20b712d67f4dc)
Thanks [@​sidharthv96](https://redirect.github.com/sidharthv96)! -
fix: Update casing of ID in requirement diagram
-
[#​6796](https://redirect.github.com/mermaid-js/mermaid/pull/6796)
[`c36cd05`](https://redirect.github.com/mermaid-js/mermaid/commit/c36cd05c45ac3090181152b4dae41f8d7b569bd6)
Thanks [@​HashanCP](https://redirect.github.com/HashanCP)! - fix:
Make flowchart elk detector regex match less greedy
-
[#​6702](https://redirect.github.com/mermaid-js/mermaid/pull/6702)
[`8bb29fc`](https://redirect.github.com/mermaid-js/mermaid/commit/8bb29fc879329ad109898e4025b4f4eba2ab0649)
Thanks [@​qraqras](https://redirect.github.com/qraqras)! -
fix(block): overflowing blocks no longer affect later lines
This may change the layout of block diagrams that have overflowing lines
(i.e. block diagrams that use up more columns that the `columns`
specifier).
-
[#​6717](https://redirect.github.com/mermaid-js/mermaid/pull/6717)
[`71b04f9`](https://redirect.github.com/mermaid-js/mermaid/commit/71b04f93b07f876df2b30656ef36036c1d0e4e4f)
Thanks [@​darshanr0107](https://redirect.github.com/darshanr0107)!
- fix: log warning for blocks exceeding column width
This update adds a validation check that logs a warning message when a
block's width exceeds the defined column layout.
-
[#​6820](https://redirect.github.com/mermaid-js/mermaid/pull/6820)
[`c99bce6`](https://redirect.github.com/mermaid-js/mermaid/commit/c99bce6bab4c7ce0b81b66d44f44853ce4aeb1c3)
Thanks [@​kriss-u](https://redirect.github.com/kriss-u)! - fix:
Add escaped class literal name on namespace
-
[#​6332](https://redirect.github.com/mermaid-js/mermaid/pull/6332)
[`6cc1926`](https://redirect.github.com/mermaid-js/mermaid/commit/6cc192680a2531cab28f87a8061a53b786e010f3)
Thanks [@​ajuckel](https://redirect.github.com/ajuckel)! - fix:
Allow equals sign in sequenceDiagram labels
-
[#​6651](https://redirect.github.com/mermaid-js/mermaid/pull/6651)
[`9da6fb3`](https://redirect.github.com/mermaid-js/mermaid/commit/9da6fb39ae278401771943ac85d6d1b875f78cf1)
Thanks [@​darshanr0107](https://redirect.github.com/darshanr0107)!
- Add validation for negative values in pie charts:
Prevents crashes during parsing by validating values post-parsing.
Provides clearer, user-friendly error messages for invalid negative
inputs.
-
[#​6803](https://redirect.github.com/mermaid-js/mermaid/pull/6803)
[`e48b0ba`](https://redirect.github.com/mermaid-js/mermaid/commit/e48b0ba61dab7f95aa02da603b5b7d383b894932)
Thanks [@​omkarht](https://redirect.github.com/omkarht)! - chore:
migrate to class-based ArchitectureDB implementation
-
[#​6838](https://redirect.github.com/mermaid-js/mermaid/pull/6838)
[`4d62d59`](https://redirect.github.com/mermaid-js/mermaid/commit/4d62d5963238400270e9314c6e4d506f48147074)
Thanks
[@​saurabhg772244](https://redirect.github.com/saurabhg772244)! -
fix: node border style for handdrawn shapes
-
[#​6739](https://redirect.github.com/mermaid-js/mermaid/pull/6739)
[`e9ce8cf`](https://redirect.github.com/mermaid-js/mermaid/commit/e9ce8cf4da9062d85098042044822100889bb0dd)
Thanks [@​kriss-u](https://redirect.github.com/kriss-u)! - fix:
Update flowchart direction TD's behavior to be the same as TB
-
[#​6833](https://redirect.github.com/mermaid-js/mermaid/pull/6833)
[`9258b29`](https://redirect.github.com/mermaid-js/mermaid/commit/9258b2933bbe1ef41087345ffea3731673671c49)
Thanks [@​darshanr0107](https://redirect.github.com/darshanr0107)!
- fix: correctly render non-directional lines for '---' in block
diagrams
-
[#​6855](https://redirect.github.com/mermaid-js/mermaid/pull/6855)
[`da90f67`](https://redirect.github.com/mermaid-js/mermaid/commit/da90f6760b6efb0da998bcb63b75eecc29e06c08)
Thanks [@​sidharthv96](https://redirect.github.com/sidharthv96)! -
fix: fallback to raw text instead of rendering *Unsupported markdown* or
empty blocks
Instead of printing **Unsupported markdown: XXX**, or empty blocks when
using a markdown feature
that Mermaid does not yet support when `htmlLabels: true`(default) or
`htmlLabels: false`,
fallback to the raw markdown text.
-
[#​6876](https://redirect.github.com/mermaid-js/mermaid/pull/6876)
[`0133f1c`](https://redirect.github.com/mermaid-js/mermaid/commit/0133f1c0c5cff4fc4c8e0b99e9cf0b3d49dcbe71)
Thanks [@​sidharthv96](https://redirect.github.com/sidharthv96)! -
fix: sanitize KATEX blocks
Resolves CVE-2025-54881 reported by
[@​fourcube](https://redirect.github.com/fourcube)
-
[#​6804](https://redirect.github.com/mermaid-js/mermaid/pull/6804)
[`895f9d4`](https://redirect.github.com/mermaid-js/mermaid/commit/895f9d43ff98ca05ebfba530789f677f31a011ff)
Thanks [@​omkarht](https://redirect.github.com/omkarht)! - chore:
Update packet diagram to use new class-based database structure
###
[`v11.9.0`](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.9.0)
[Compare
Source](https://redirect.github.com/mermaid-js/mermaid/compare/[email protected]@11.9.0)
##### Minor Changes
-
[#​6453](https://redirect.github.com/mermaid-js/mermaid/pull/6453)
[`5acbd7e`](https://redirect.github.com/mermaid-js/mermaid/commit/5acbd7e762469d9d89a9c77faf6617ee13367f3a)
Thanks [@​sidharthv96](https://redirect.github.com/sidharthv96)! -
feat: Add `getRegisteredDiagramsMetadata` to `mermaid`, which returns
all the registered diagram IDs in mermaid
##### Patch Changes
-
[#​6738](https://redirect.github.com/mermaid-js/mermaid/pull/6738)
[`d90634b`](https://redirect.github.com/mermaid-js/mermaid/commit/d90634bf2b09e586b055729e07e9a1a31b21827c)
Thanks
[@​shubham-mermaid](https://redirect.github.com/shubham-mermaid)!
- chore: Updated TreeMapDB to use class based approach
-
[#​6510](https://redirect.github.com/mermaid-js/mermaid/pull/6510)
[`7a38eb7`](https://redirect.github.com/mermaid-js/mermaid/commit/7a38eb715d795cd5c66cb59357d64ec197b432e6)
Thanks [@​sidharthv96](https://redirect.github.com/sidharthv96)! -
chore: Move packet diagram out of beta
-
[#​6747](https://redirect.github.com/mermaid-js/mermaid/pull/6747)
[`3e3ae08`](https://redirect.github.com/mermaid-js/mermaid/commit/3e3ae089305e1c7b9948b9e149eba6854fe7f2d6)
Thanks [@​darshanr0107](https://redirect.github.com/darshanr0107)!
- fix: adjust sequence diagram title positioning to prevent overlap with
top border in Safari
-
[#​6751](https://redirect.github.com/mermaid-js/mermaid/pull/6751)
[`d3e2be3`](https://redirect.github.com/mermaid-js/mermaid/commit/d3e2be35be066adeb7fd502b4a24c223c3b53947)
Thanks [@​darshanr0107](https://redirect.github.com/darshanr0107)!
- chore: Update MindmapDB to use class based approach
-
[#​6715](https://redirect.github.com/mermaid-js/mermaid/pull/6715)
[`637680d`](https://redirect.github.com/mermaid-js/mermaid/commit/637680d4d9e39b4f8cb6f05b4cb261e8f5693ac3)
Thanks [@​Syn3ugar](https://redirect.github.com/Syn3ugar)! -
fix(timeline): fix loading `leftMargin` from config
The `timeline.leftMargin` config value should now correctly control the
size of the left margin, instead of being ignored.
- Updated dependencies
\[[`7a38eb7`](https://redirect.github.com/mermaid-js/mermaid/commit/7a38eb715d795cd5c66cb59357d64ec197b432e6)]:
-
[@​mermaid-js/parser](https://redirect.github.com/mermaid-js/parser)@​0.6.2
###
[`v11.8.1`](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.8.1)
[Compare
Source](https://redirect.github.com/mermaid-js/mermaid/compare/[email protected]@11.8.1)
##### Patch Changes
- Updated dependencies
\[[`0da2922`](https://redirect.github.com/mermaid-js/mermaid/commit/0da2922ee7f47959e324ec10d3d21ee70594f557)]:
-
[@​mermaid-js/parser](https://redirect.github.com/mermaid-js/parser)@​0.6.1
</details>
---
### Configuration
📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no
schedule defined).
🚦 **Automerge**: Enabled.
♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/open-feature/openfeature.dev).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS44MS4yIiwidXBkYXRlZEluVmVyIjoiNDEuODEuMiIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsicmVub3ZhdGUiXX0=-->
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>1 parent 406e099 commit c5b1784
2 files changed
+18
-13
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
47 | 47 | | |
48 | 48 | | |
49 | 49 | | |
50 | | - | |
| 50 | + | |
51 | 51 | | |
52 | 52 | | |
53 | 53 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
2325 | 2325 | | |
2326 | 2326 | | |
2327 | 2327 | | |
2328 | | - | |
2329 | | - | |
2330 | | - | |
2331 | | - | |
| 2328 | + | |
| 2329 | + | |
| 2330 | + | |
| 2331 | + | |
2332 | 2332 | | |
2333 | 2333 | | |
2334 | 2334 | | |
| |||
8007 | 8007 | | |
8008 | 8008 | | |
8009 | 8009 | | |
8010 | | - | |
| 8010 | + | |
8011 | 8011 | | |
8012 | 8012 | | |
8013 | 8013 | | |
| |||
8326 | 8326 | | |
8327 | 8327 | | |
8328 | 8328 | | |
| 8329 | + | |
| 8330 | + | |
| 8331 | + | |
| 8332 | + | |
| 8333 | + | |
8329 | 8334 | | |
8330 | 8335 | | |
8331 | 8336 | | |
| |||
8591 | 8596 | | |
8592 | 8597 | | |
8593 | 8598 | | |
8594 | | - | |
8595 | | - | |
8596 | | - | |
8597 | | - | |
| 8599 | + | |
| 8600 | + | |
| 8601 | + | |
| 8602 | + | |
8598 | 8603 | | |
8599 | 8604 | | |
8600 | 8605 | | |
8601 | | - | |
| 8606 | + | |
8602 | 8607 | | |
8603 | 8608 | | |
8604 | 8609 | | |
| |||
8608 | 8613 | | |
8609 | 8614 | | |
8610 | 8615 | | |
8611 | | - | |
| 8616 | + | |
8612 | 8617 | | |
8613 | 8618 | | |
8614 | | - | |
| 8619 | + | |
8615 | 8620 | | |
8616 | 8621 | | |
8617 | 8622 | | |
| |||
0 commit comments