Listen to this Post
The vulnerability exists within the code for rendering architecture diagrams. When a service node uses the `iconText` property, this user-controlled input is directly passed to D3’s `.html()` method without sanitization. This method writes the provided string directly into the DOM as raw HTML, creating a classic Cross-Site Scripting (XSS) sink. An attacker can craft a malicious diagram where the `iconText` contains a JavaScript payload encapsulated in HTML tags (e.g., <img src=x onerror=alert(1)>). When a victim views this rendered diagram, the payload executes in their browser context, allowing the attacker to perform any action the user can perform on the site hosting the vulnerable Mermaid instance.
Platform: Mermaid.js
Version: <=11.9.0
Vulnerability: XSS
Severity: Critical
date: 2025-02-19
Prediction: 2025-03-12
What Undercode Say:
Search for the vulnerable pattern in codebases
grep -r ".html(" --include=".js" --include=".ts" .
Example of the vulnerable code snippet
const divElem = fo.append('div')
.attr('class', 'node-icon-text')
.html(service.iconText); // VULNERABLE
How Exploit:
architecture-beta service db "<img src=x onerror=alert(`XSS`)>"
Protection from this CVE:
// Sanitize user input before using .html() import DOMPurify from 'dompurify'; // ... .html(DOMPurify.sanitize(service.iconText));
Impact:
Arbitrary JavaScript Execution Session Hijacking Account Compromise
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
