Cross-site scripting in mermaid - CVE-2022-31108

 

Cross-site scripting in mermaid - CVE-2022-31108

Published: June 28, 2022 / Updated: April 24, 2026


Vulnerability identifier: #VU127459
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green
CVE-ID: CVE-2022-31108
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: mermaid-js
Affected software:
mermaid

Detailed vulnerability description

The vulnerability allows a remote attacker to inject arbitrary CSS into the generated graph affecting the container HTML.

The vulnerability exists due to improper neutralization of input in the graph rendering logic when rendering crafted diagram content. A remote attacker can supply crafted content to inject arbitrary CSS into the generated graph affecting the container HTML.


How to mitigate CVE-2022-31108

Install security update from vendor's website.

Sources