mirror of
https://github.com/go-gitea/gitea.git
synced 2026-05-27 10:15:50 +01:00
Giteabot
6a27066269
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [mermaid](https://redirect.github.com/mermaid-js/mermaid) | [`11.14.0` → `11.15.0`](https://renovatebot.com/diffs/npm/mermaid/11.14.0/11.15.0) |  |  | --- ### Mermaid: Improper sanitization of `classDefs` in diagrams leads to CSS injection [CVE-2026-41148](https://nvd.nist.gov/vuln/detail/CVE-2026-41148) / [GHSA-xcj9-5m2h-648r](https://redirect.github.com/advisories/GHSA-xcj9-5m2h-648r) <details> <summary>More information</summary> #### Details ##### Details The state diagram and any other diagram type that routes user-controlled style strings through createCssStyles parser for Mermaid v11.14.0 and earlier captures `classDef` values with an unrestricted regex: ```jison // packages/mermaid/src/diagrams/state/parser/stateDiagram.jison:83 <CLASSDEFID>[^\n]* { this.popState(); return 'CLASSDEF_STYLEOPTS' } ``` The value passes unsanitized through `addStyleClass()` -> `createCssStyles()` -> `style.innerHTML` (mermaidAPI.ts:418). A `}` in the value closes the generated CSS selector, and everything after becomes a new CSS rule on the page. ##### PoC ``` stateDiagram-v2 classDef x }*{ background-image: url("http://media.giphy.com/media/SggILpMXO7Xt6/giphy.gif")} ``` Live demo: <https://mermaid.live/edit#pako:eNpFjzFvgzAQhf-KdVNbEcBgMHhtlkqtOnSJKi8ONsYKBmRMlRTx3-skanvTfbp7996t0IxSAYPZC6_2Rmgn7O4rQ00v5nmvWnRG29OKjqI5aTcug9wZK7RiaHH9A4fO-4kliVXSiFibqbvEzWjvnHxo_fI6vR3e6cGXyX2qTcvhcYMItDMSmHeLisAqZ8UVYeUDQhx8p6ziwEIrhTtx4MNVM4nhcxztrywE0h2wVvRzoGWS_z_8rahBKvcckntgmN5OAFvhDIzUNCZZQXCR5nVaZkUEF2BVFpOcEkoxxhUuyRbB980yjStapKHqoKFlhvPtB7BFZEU> ##### Patches This has been patched in: - [v11.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) (see [e9b0f34d8d82a6260077764ee45e1d7d90957a0f](https://redirect.github.com/mermaid-js/mermaid/commit/e9b0f34d8d82a6260077764ee45e1d7d90957a0f)) - [v10.9.6](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6) (see [8fead23c59166b7bab6a39eac81acebee2859102](https://redirect.github.com/mermaid-js/mermaid/commit/8fead23c59166b7bab6a39eac81acebee2859102)) ##### Workarounds Setting [`"securityLevel": "sandbox"`](https://mermaid.js.org/config/schema-docs/config.html#securitylevel) will prevent this, by rendering the mermaid diagram in a sandboxed `<iframe>`. ##### Impact Enables page defacement, user tracking via `url()` callbacks, and DOM attribute exfiltration via CSS `:has()` selectors. #### Severity - CVSS Score: 5.3 / 10 (Medium) - Vector String: `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L` #### References - [https://github.com/mermaid-js/mermaid/security/advisories/GHSA-xcj9-5m2h-648r](https://redirect.github.com/mermaid-js/mermaid/security/advisories/GHSA-xcj9-5m2h-648r) - [https://github.com/mermaid-js/mermaid/commit/8fead23c59166b7bab6a39eac81acebee2859102](https://redirect.github.com/mermaid-js/mermaid/commit/8fead23c59166b7bab6a39eac81acebee2859102) - [https://github.com/mermaid-js/mermaid/commit/e9b0f34d8d82a6260077764ee45e1d7d90957a0f](https://redirect.github.com/mermaid-js/mermaid/commit/e9b0f34d8d82a6260077764ee45e1d7d90957a0f) - [https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) - [https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6) - [https://mermaid.js.org/config/schema-docs/config.html#securitylevel](https://mermaid.js.org/config/schema-docs/config.html#securitylevel) - [https://github.com/advisories/GHSA-xcj9-5m2h-648r](https://redirect.github.com/advisories/GHSA-xcj9-5m2h-648r) This data is provided by the [GitHub Advisory Database](https://redirect.github.com/advisories/GHSA-xcj9-5m2h-648r) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Mermaid: Improper sanitization of `classDef` in state diagrams leads to HTML injection [CVE-2026-41149](https://nvd.nist.gov/vuln/detail/CVE-2026-41149) / [GHSA-ghcm-xqfw-q4vr](https://redirect.github.com/advisories/GHSA-ghcm-xqfw-q4vr) <details> <summary>More information</summary> #### Details ##### Impact Under the default configuration, Mermaid state diagram's `classDef` allow DOM injection that escapes the SVG, although `<script>` tags are removed, preventing XSS. ##### Proof-of-concept ``` stateDiagram-v2 classDef xss fill:red</style></svg><style>*{x:x;y:y;overflow:visible!important;contain:none!important;transform:none!important;filter:none!important;clip-path:none!important}</style><div style="x:x;y:y;color:red;font:5em/1 monospace;display:grid;place-items:center;z-index:2147483647;width:100vw;height:100vh;position:fixed;top:0;left:0;background:black">HACKED</div><svg><style>a:b [*] --> A:::xss ``` ##### Patches - [v11.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) (see [37ff937f1da2e19f882fd1db01235db4d01f4056](https://redirect.github.com/mermaid-js/mermaid/commit/37ff937f1da2e19f882fd1db01235db4d01f4056)) - [v10.9.6](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6) (see [4e2d512bf5bf6f9de1a8f0a48da78dc4d09ac4f3](https://redirect.github.com/mermaid-js/mermaid/commit/4e2d512bf5bf6f9de1a8f0a48da78dc4d09ac4f3)) ##### Workarounds If you can not update to a patched version, setting [`"securityLevel": "sandbox"`](https://mermaid.js.org/config/schema-docs/config.html#securitylevel) will prevent this, by rendering the mermaid diagram in a sandboxed `<iframe>`. ##### Credits Thanks to @​zsxsoft from @​KeenSecurityLab for reporting this vulnerability. #### Severity - CVSS Score: 5.3 / 10 (Medium) - Vector String: `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L` #### References - [https://github.com/mermaid-js/mermaid/security/advisories/GHSA-ghcm-xqfw-q4vr](https://redirect.github.com/mermaid-js/mermaid/security/advisories/GHSA-ghcm-xqfw-q4vr) - [https://github.com/mermaid-js/mermaid/commit/37ff937f1da2e19f882fd1db01235db4d01f4056](https://redirect.github.com/mermaid-js/mermaid/commit/37ff937f1da2e19f882fd1db01235db4d01f4056) - [https://github.com/mermaid-js/mermaid/commit/4e2d512bf5bf6f9de1a8f0a48da78dc4d09ac4f3](https://redirect.github.com/mermaid-js/mermaid/commit/4e2d512bf5bf6f9de1a8f0a48da78dc4d09ac4f3) - [https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) - [https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6) - [https://mermaid.js.org/config/schema-docs/config.html#securitylevel](https://mermaid.js.org/config/schema-docs/config.html#securitylevel) - [https://github.com/advisories/GHSA-ghcm-xqfw-q4vr](https://redirect.github.com/advisories/GHSA-ghcm-xqfw-q4vr) This data is provided by the [GitHub Advisory Database](https://redirect.github.com/advisories/GHSA-ghcm-xqfw-q4vr) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Mermaid: Improper sanitization of configuration leads to CSS injection [CVE-2026-41159](https://nvd.nist.gov/vuln/detail/CVE-2026-41159) / [GHSA-87f9-hvmw-gh4p](https://redirect.github.com/advisories/GHSA-87f9-hvmw-gh4p) <details> <summary>More information</summary> #### Details ##### Impact Mermaid's default configuration allows injecting CSS that applies outside of the Mermaid diagram via the `fontFamily`, `themeCSS`, and `altFontFamily` configuration options. Live demo: [mermaid.live](https://mermaid.live/edit#pako:eNpNjktLxDAUhf9KvFBR6JS-60QQfODKlUvJ5k6TtsEmKTHFGUP-u-mI6Nmdy3fOPR56wwVQSBIvtXSUeAaD0e4ZlZxPDChhcLxFfwiEauOuLq_9Afv30ZpVczpaITS5kGox1qF2gfSeBwYhJAnThAyz-ewntI68vG5-0z3Z7e7IA9OQwmglB-rsKlJQwircLPgNZeAmocTPAi4GXGfHgOkQYwvqN2PUbzJuGSegA84f0a0LRyeeJI4W_xChubCPcbQD2pwbgHo4Aq2aKmvbqq3zoiu7pizqFE6RybN9VFfFY1HWXRVS-Dr_zLObrt7_V_gGGXZlGg) Example code: ``` %%{init: {"fontFamily": "x;a{b} :not(&){background:green !important} c{d}"}}%% flowchart LR A --> B ``` The injected CSS exploits stylis's `&` (scope reference) handling. `:not(&)` escapes the `#mermaid-xxx` automatic scoping, applying styles to all page elements. Global at-rules (`@font-face`, `@keyframes`, `@counter-style`) are also injectable as stylis hoists them to top level. This allows page defacement and DOM attribute exfiltration via CSS `:has()` selectors. ##### Patches - [v11.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) (see [64769738d5b59211e1decb471ffbaca8afec51aa](https://redirect.github.com/mermaid-js/mermaid/commit/64769738d5b59211e1decb471ffbaca8afec51aa)) - [v10.9.6](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6) (see [a9d9f0d8eb790349121508688cd338253fd80d76](https://redirect.github.com/mermaid-js/mermaid/commit/a9d9f0d8eb790349121508688cd338253fd80d76)) ##### Workarounds If you can't upgrade mermaid, you can set the [`secure`](https://mermaid.js.org/config/schema-docs/config.html#secure) config value in the mermaid config to avoid allowing diagrams to modify `fontFamily`, `themeCSS`, `altFontFamily`, and `themeVariables`. Setting [`"securityLevel": "sandbox"`](https://mermaid.js.org/config/schema-docs/config.html#securitylevel) will also prevent this. ##### Credits Reported by @​zsxsoft on behalf of @​KeenSecurityLab #### Severity - CVSS Score: 5.3 / 10 (Medium) - Vector String: `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L` #### References - [https://github.com/mermaid-js/mermaid/security/advisories/GHSA-87f9-hvmw-gh4p](https://redirect.github.com/mermaid-js/mermaid/security/advisories/GHSA-87f9-hvmw-gh4p) - [https://github.com/mermaid-js/mermaid/commit/64769738d5b59211e1decb471ffbaca8afec51aa](https://redirect.github.com/mermaid-js/mermaid/commit/64769738d5b59211e1decb471ffbaca8afec51aa) - [https://github.com/mermaid-js/mermaid/commit/a9d9f0d8eb790349121508688cd338253fd80d76](https://redirect.github.com/mermaid-js/mermaid/commit/a9d9f0d8eb790349121508688cd338253fd80d76) - [https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) - [https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6) - [https://github.com/advisories/GHSA-87f9-hvmw-gh4p](https://redirect.github.com/advisories/GHSA-87f9-hvmw-gh4p) This data is provided by the [GitHub Advisory Database](https://redirect.github.com/advisories/GHSA-87f9-hvmw-gh4p) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Mermaid Gantt Charts are vulnerable to an Infinite Loop DoS [CVE-2026-41150](https://nvd.nist.gov/vuln/detail/CVE-2026-41150) / [GHSA-6m6c-36f7-fhxh](https://redirect.github.com/advisories/GHSA-6m6c-36f7-fhxh) <details> <summary>More information</summary> #### Details ##### Impact Mermaid v11.14.0 and earlier are vulnerable to a denial-of-service attack when rendering gantt charts, if they use the [`excludes` attribute](https://mermaid.js.org/syntax/gantt.html?#excludes) to exclude all dates. Example: ``` gantt excludes monday,tuesday,wednesday,thursday,friday,saturday,sunday DoS :2025-01-01, 1d ``` `mermaid.parse` is unaffected, unless you then call the `ganttDb.getTasks()` (which is called when rendering a diagram). ##### Patches This has been patched in: - [v11.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) (see [faafb5d49106dd32c367f3882505f2dd625aa30e](https://redirect.github.com/mermaid-js/mermaid/commit/faafb5d49106dd32c367f3882505f2dd625aa30e)) - [v10.9.6](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6) (see [a59ea56174712ee5430dfd5bc877cb5151f501a6](https://redirect.github.com/mermaid-js/mermaid/commit/a59ea56174712ee5430dfd5bc877cb5151f501a6)) ##### Workarounds There are no workarounds available without updating to a newer version of mermaid. #### Severity - CVSS Score: 5.3 / 10 (Medium) - Vector String: `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L` #### References - [https://github.com/mermaid-js/mermaid/security/advisories/GHSA-6m6c-36f7-fhxh](https://redirect.github.com/mermaid-js/mermaid/security/advisories/GHSA-6m6c-36f7-fhxh) - [https://github.com/mermaid-js/mermaid/commit/a59ea56174712ee5430dfd5bc877cb5151f501a6](https://redirect.github.com/mermaid-js/mermaid/commit/a59ea56174712ee5430dfd5bc877cb5151f501a6) - [https://github.com/mermaid-js/mermaid/commit/faafb5d49106dd32c367f3882505f2dd625aa30e](https://redirect.github.com/mermaid-js/mermaid/commit/faafb5d49106dd32c367f3882505f2dd625aa30e) - [https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) - [https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6) - [https://github.com/advisories/GHSA-6m6c-36f7-fhxh](https://redirect.github.com/advisories/GHSA-6m6c-36f7-fhxh) This data is provided by the [GitHub Advisory Database](https://redirect.github.com/advisories/GHSA-6m6c-36f7-fhxh) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Mermaid Gantt Charts are vulnerable to an Infinite Loop DoS [CVE-2026-41150](https://nvd.nist.gov/vuln/detail/CVE-2026-41150) / [GHSA-6m6c-36f7-fhxh](https://redirect.github.com/advisories/GHSA-6m6c-36f7-fhxh) <details> <summary>More information</summary> #### Details ##### Impact Mermaid v11.14.0 and earlier are vulnerable to a denial-of-service attack when rendering gantt charts, if they use the [`excludes` attribute](https://mermaid.js.org/syntax/gantt.html?#excludes) to exclude all dates. Example: ``` gantt excludes monday,tuesday,wednesday,thursday,friday,saturday,sunday DoS :2025-01-01, 1d ``` `mermaid.parse` is unaffected, unless you then call the `ganttDb.getTasks()` (which is called when rendering a diagram). ##### Patches This has been patched in: - [v11.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) (see [faafb5d49106dd32c367f3882505f2dd625aa30e](https://redirect.github.com/mermaid-js/mermaid/commit/faafb5d49106dd32c367f3882505f2dd625aa30e)) - [v10.9.6](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6) (see [a59ea56174712ee5430dfd5bc877cb5151f501a6](https://redirect.github.com/mermaid-js/mermaid/commit/a59ea56174712ee5430dfd5bc877cb5151f501a6)) ##### Workarounds There are no workarounds available without updating to a newer version of mermaid. #### Severity - CVSS Score: 5.3 / 10 (Medium) - Vector String: `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L` #### References - [https://github.com/mermaid-js/mermaid/security/advisories/GHSA-6m6c-36f7-fhxh](https://redirect.github.com/mermaid-js/mermaid/security/advisories/GHSA-6m6c-36f7-fhxh) - [https://github.com/mermaid-js/mermaid/commit/a59ea56174712ee5430dfd5bc877cb5151f501a6](https://redirect.github.com/mermaid-js/mermaid/commit/a59ea56174712ee5430dfd5bc877cb5151f501a6) - [https://github.com/mermaid-js/mermaid/commit/faafb5d49106dd32c367f3882505f2dd625aa30e](https://redirect.github.com/mermaid-js/mermaid/commit/faafb5d49106dd32c367f3882505f2dd625aa30e) - [https://github.com/mermaid-js/mermaid](https://redirect.github.com/mermaid-js/mermaid) - [https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) - [https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-6m6c-36f7-fhxh) and the [GitHub Advisory Database](https://redirect.github.com/github/advisory-database) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Mermaid: Improper sanitization of configuration leads to CSS injection [CVE-2026-41159](https://nvd.nist.gov/vuln/detail/CVE-2026-41159) / [GHSA-87f9-hvmw-gh4p](https://redirect.github.com/advisories/GHSA-87f9-hvmw-gh4p) <details> <summary>More information</summary> #### Details ##### Impact Mermaid's default configuration allows injecting CSS that applies outside of the Mermaid diagram via the `fontFamily`, `themeCSS`, and `altFontFamily` configuration options. Live demo: [mermaid.live](https://mermaid.live/edit#pako:eNpNjktLxDAUhf9KvFBR6JS-60QQfODKlUvJ5k6TtsEmKTHFGUP-u-mI6Nmdy3fOPR56wwVQSBIvtXSUeAaD0e4ZlZxPDChhcLxFfwiEauOuLq_9Afv30ZpVczpaITS5kGox1qF2gfSeBwYhJAnThAyz-ewntI68vG5-0z3Z7e7IA9OQwmglB-rsKlJQwircLPgNZeAmocTPAi4GXGfHgOkQYwvqN2PUbzJuGSegA84f0a0LRyeeJI4W_xChubCPcbQD2pwbgHo4Aq2aKmvbqq3zoiu7pizqFE6RybN9VFfFY1HWXRVS-Dr_zLObrt7_V_gGGXZlGg) Example code: ``` %%{init: {"fontFamily": "x;a{b} :not(&){background:green !important} c{d}"}}%% flowchart LR A --> B ``` The injected CSS exploits stylis's `&` (scope reference) handling. `:not(&)` escapes the `#mermaid-xxx` automatic scoping, applying styles to all page elements. Global at-rules (`@font-face`, `@keyframes`, `@counter-style`) are also injectable as stylis hoists them to top level. This allows page defacement and DOM attribute exfiltration via CSS `:has()` selectors. ##### Patches - [v11.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) (see [64769738d5b59211e1decb471ffbaca8afec51aa](https://redirect.github.com/mermaid-js/mermaid/commit/64769738d5b59211e1decb471ffbaca8afec51aa)) - [v10.9.6](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6) (see [a9d9f0d8eb790349121508688cd338253fd80d76](https://redirect.github.com/mermaid-js/mermaid/commit/a9d9f0d8eb790349121508688cd338253fd80d76)) ##### Workarounds If you can't upgrade mermaid, you can set the [`secure`](https://mermaid.js.org/config/schema-docs/config.html#secure) config value in the mermaid config to avoid allowing diagrams to modify `fontFamily`, `themeCSS`, `altFontFamily`, and `themeVariables`. Setting [`"securityLevel": "sandbox"`](https://mermaid.js.org/config/schema-docs/config.html#securitylevel) will also prevent this. ##### Credits Reported by @​zsxsoft on behalf of @​KeenSecurityLab #### Severity - CVSS Score: 5.3 / 10 (Medium) - Vector String: `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L` #### References - [https://github.com/mermaid-js/mermaid/security/advisories/GHSA-87f9-hvmw-gh4p](https://redirect.github.com/mermaid-js/mermaid/security/advisories/GHSA-87f9-hvmw-gh4p) - [https://github.com/mermaid-js/mermaid/commit/64769738d5b59211e1decb471ffbaca8afec51aa](https://redirect.github.com/mermaid-js/mermaid/commit/64769738d5b59211e1decb471ffbaca8afec51aa) - [https://github.com/mermaid-js/mermaid/commit/a9d9f0d8eb790349121508688cd338253fd80d76](https://redirect.github.com/mermaid-js/mermaid/commit/a9d9f0d8eb790349121508688cd338253fd80d76) - [https://github.com/mermaid-js/mermaid](https://redirect.github.com/mermaid-js/mermaid) - [https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) - [https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-87f9-hvmw-gh4p) and the [GitHub Advisory Database](https://redirect.github.com/github/advisory-database) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Mermaid: Improper sanitization of `classDef` in state diagrams leads to HTML injection [CVE-2026-41149](https://nvd.nist.gov/vuln/detail/CVE-2026-41149) / [GHSA-ghcm-xqfw-q4vr](https://redirect.github.com/advisories/GHSA-ghcm-xqfw-q4vr) <details> <summary>More information</summary> #### Details ##### Impact Under the default configuration, Mermaid state diagram's `classDef` allow DOM injection that escapes the SVG, although `<script>` tags are removed, preventing XSS. ##### Proof-of-concept ``` stateDiagram-v2 classDef xss fill:red</style></svg><style>*{x:x;y:y;overflow:visible!important;contain:none!important;transform:none!important;filter:none!important;clip-path:none!important}</style><div style="x:x;y:y;color:red;font:5em/1 monospace;display:grid;place-items:center;z-index:2147483647;width:100vw;height:100vh;position:fixed;top:0;left:0;background:black">HACKED</div><svg><style>a:b [*] --> A:::xss ``` ##### Patches - [v11.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) (see [37ff937f1da2e19f882fd1db01235db4d01f4056](https://redirect.github.com/mermaid-js/mermaid/commit/37ff937f1da2e19f882fd1db01235db4d01f4056)) - [v10.9.6](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6) (see [4e2d512bf5bf6f9de1a8f0a48da78dc4d09ac4f3](https://redirect.github.com/mermaid-js/mermaid/commit/4e2d512bf5bf6f9de1a8f0a48da78dc4d09ac4f3)) ##### Workarounds If you can not update to a patched version, setting [`"securityLevel": "sandbox"`](https://mermaid.js.org/config/schema-docs/config.html#securitylevel) will prevent this, by rendering the mermaid diagram in a sandboxed `<iframe>`. ##### Credits Thanks to @​zsxsoft from @​KeenSecurityLab for reporting this vulnerability. #### Severity - CVSS Score: 5.3 / 10 (Medium) - Vector String: `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L` #### References - [https://github.com/mermaid-js/mermaid/security/advisories/GHSA-ghcm-xqfw-q4vr](https://redirect.github.com/mermaid-js/mermaid/security/advisories/GHSA-ghcm-xqfw-q4vr) - [https://github.com/mermaid-js/mermaid/commit/37ff937f1da2e19f882fd1db01235db4d01f4056](https://redirect.github.com/mermaid-js/mermaid/commit/37ff937f1da2e19f882fd1db01235db4d01f4056) - [https://github.com/mermaid-js/mermaid/commit/4e2d512bf5bf6f9de1a8f0a48da78dc4d09ac4f3](https://redirect.github.com/mermaid-js/mermaid/commit/4e2d512bf5bf6f9de1a8f0a48da78dc4d09ac4f3) - [https://github.com/mermaid-js/mermaid](https://redirect.github.com/mermaid-js/mermaid) - [https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) - [https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6) - [https://mermaid.js.org/config/schema-docs/config.html#securitylevel](https://mermaid.js.org/config/schema-docs/config.html#securitylevel) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-ghcm-xqfw-q4vr) and the [GitHub Advisory Database](https://redirect.github.com/github/advisory-database) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Mermaid: Improper sanitization of `classDefs` in diagrams leads to CSS injection [CVE-2026-41148](https://nvd.nist.gov/vuln/detail/CVE-2026-41148) / [GHSA-xcj9-5m2h-648r](https://redirect.github.com/advisories/GHSA-xcj9-5m2h-648r) <details> <summary>More information</summary> #### Details ##### Details The state diagram and any other diagram type that routes user-controlled style strings through createCssStyles parser for Mermaid v11.14.0 and earlier captures `classDef` values with an unrestricted regex: ```jison // packages/mermaid/src/diagrams/state/parser/stateDiagram.jison:83 <CLASSDEFID>[^\n]* { this.popState(); return 'CLASSDEF_STYLEOPTS' } ``` The value passes unsanitized through `addStyleClass()` -> `createCssStyles()` -> `style.innerHTML` (mermaidAPI.ts:418). A `}` in the value closes the generated CSS selector, and everything after becomes a new CSS rule on the page. ##### PoC ``` stateDiagram-v2 classDef x }*{ background-image: url("http://media.giphy.com/media/SggILpMXO7Xt6/giphy.gif")} ``` Live demo: <https://mermaid.live/edit#pako:eNpFjzFvgzAQhf-KdVNbEcBgMHhtlkqtOnSJKi8ONsYKBmRMlRTx3-skanvTfbp7996t0IxSAYPZC6_2Rmgn7O4rQ00v5nmvWnRG29OKjqI5aTcug9wZK7RiaHH9A4fO-4kliVXSiFibqbvEzWjvnHxo_fI6vR3e6cGXyX2qTcvhcYMItDMSmHeLisAqZ8UVYeUDQhx8p6ziwEIrhTtx4MNVM4nhcxztrywE0h2wVvRzoGWS_z_8rahBKvcckntgmN5OAFvhDIzUNCZZQXCR5nVaZkUEF2BVFpOcEkoxxhUuyRbB980yjStapKHqoKFlhvPtB7BFZEU> ##### Patches This has been patched in: - [v11.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) (see [e9b0f34d8d82a6260077764ee45e1d7d90957a0f](https://redirect.github.com/mermaid-js/mermaid/commit/e9b0f34d8d82a6260077764ee45e1d7d90957a0f)) - [v10.9.6](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6) (see [8fead23c59166b7bab6a39eac81acebee2859102](https://redirect.github.com/mermaid-js/mermaid/commit/8fead23c59166b7bab6a39eac81acebee2859102)) ##### Workarounds Setting [`"securityLevel": "sandbox"`](https://mermaid.js.org/config/schema-docs/config.html#securitylevel) will prevent this, by rendering the mermaid diagram in a sandboxed `<iframe>`. ##### Impact Enables page defacement, user tracking via `url()` callbacks, and DOM attribute exfiltration via CSS `:has()` selectors. #### Severity - CVSS Score: 5.3 / 10 (Medium) - Vector String: `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L` #### References - [https://github.com/mermaid-js/mermaid/security/advisories/GHSA-xcj9-5m2h-648r](https://redirect.github.com/mermaid-js/mermaid/security/advisories/GHSA-xcj9-5m2h-648r) - [https://github.com/mermaid-js/mermaid/commit/8fead23c59166b7bab6a39eac81acebee2859102](https://redirect.github.com/mermaid-js/mermaid/commit/8fead23c59166b7bab6a39eac81acebee2859102) - [https://github.com/mermaid-js/mermaid/commit/e9b0f34d8d82a6260077764ee45e1d7d90957a0f](https://redirect.github.com/mermaid-js/mermaid/commit/e9b0f34d8d82a6260077764ee45e1d7d90957a0f) - [https://github.com/mermaid-js/mermaid](https://redirect.github.com/mermaid-js/mermaid) - [https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) - [https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6) - [https://mermaid.js.org/config/schema-docs/config.html#securitylevel](https://mermaid.js.org/config/schema-docs/config.html#securitylevel) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-xcj9-5m2h-648r) and the [GitHub Advisory Database](https://redirect.github.com/github/advisory-database) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Release Notes <details> <summary>mermaid-js/mermaid (mermaid)</summary> ### [`v11.15.0`](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) [Compare Source](https://redirect.github.com/mermaid-js/mermaid/compare/mermaid@11.14.0...mermaid@11.15.0) ##### Minor Changes - [#​7174](https://redirect.github.com/mermaid-js/mermaid/pull/7174) [`0aca217`](https://redirect.github.com/mermaid-js/mermaid/commit/0aca21739c0d1fcaaa206e04a6cd574ebc415483) Thanks [@​milesspencer35](https://redirect.github.com/milesspencer35)! - feat(sequence): Add support for decimal start and increment values in the `autonumber` directive - [#​7512](https://redirect.github.com/mermaid-js/mermaid/pull/7512) [`8e17492`](https://redirect.github.com/mermaid-js/mermaid/commit/8e17492f7365ba50896382feb69a23efd9d8a22d) Thanks [@​aruncveli](https://redirect.github.com/aruncveli)! - feat(flowchart): add datastore shape In Data flow diagrams, a datastore/warehouse/file/database is used to represent data persistence. It is denoted by a rectangle with only top and bottom borders, and can be used in flowcharts with `A@{ shape: datastore, label: "Datastore" }`. - [#​6440](https://redirect.github.com/mermaid-js/mermaid/pull/6440) [`9ad8dde`](https://redirect.github.com/mermaid-js/mermaid/commit/9ad8dde6d049adde85d8ed2d476c09b5820f3f4b) Thanks [@​yordis](https://redirect.github.com/yordis), [@​lgazo](https://redirect.github.com/lgazo)! - feat: add Event Modeling diagram - [#​7707](https://redirect.github.com/mermaid-js/mermaid/pull/7707) [`27db774`](https://redirect.github.com/mermaid-js/mermaid/commit/27db774627be1cee881961dfd0d2cb21cd01b79d) Thanks [@​txmxthy](https://redirect.github.com/txmxthy)! - feat(architecture): expose four fcose layout knobs for `architecture-beta` diagrams (`nodeSeparation`, `idealEdgeLengthMultiplier`, `edgeElasticity`, `numIter`) so authors can tune layout density and spread overlapping siblings without changing diagram source - [#​7604](https://redirect.github.com/mermaid-js/mermaid/pull/7604) [`bf9502f`](https://redirect.github.com/mermaid-js/mermaid/commit/bf9502fb6012a4b724679b401ac928f5ee55161c) Thanks [@​M-a-c](https://redirect.github.com/M-a-c)! - feat(class): add nested namespace support for class diagrams via dot notation and syntactic nesting If you have namespaces in class diagrams that use `.`s already and want to render them without nesting (≤v11.14.0 behaviour), you can use set `class.hierarchicalNamespaces=false` in your mermaid config: ```yaml config: class: hierarchicalNamespaces: false ``` - [#​7272](https://redirect.github.com/mermaid-js/mermaid/pull/7272) [`88cdd3d`](https://redirect.github.com/mermaid-js/mermaid/commit/88cdd3dc0aab9577174561b04e14760c565a232b) Thanks [@​xinbenlv](https://redirect.github.com/xinbenlv)! - feat(sankey): add outlined label style, configurable nodeWidth/nodePadding, and custom node colors ##### Patch Changes - [#​7737](https://redirect.github.com/mermaid-js/mermaid/pull/7737) [`e9b0f34`](https://redirect.github.com/mermaid-js/mermaid/commit/e9b0f34d8d82a6260077764ee45e1d7d90957a0f) Thanks [@​ashishjain0512](https://redirect.github.com/ashishjain0512)! - fix: prevent unbalanced CSS styles in classDefs - [#​7737](https://redirect.github.com/mermaid-js/mermaid/pull/7737) [`37ff937`](https://redirect.github.com/mermaid-js/mermaid/commit/37ff937f1da2e19f882fd1db01235db4d01f4056) Thanks [@​ashishjain0512](https://redirect.github.com/ashishjain0512)! - fix: create CSS styles using the CSSOM This removes some invalid CSS and normalizes some CSS formatting. - [#​7508](https://redirect.github.com/mermaid-js/mermaid/pull/7508) [`bfe60cc`](https://redirect.github.com/mermaid-js/mermaid/commit/bfe60cc67b9a6dec64f9161f58e4d24a06c42b65) Thanks [@​biiab](https://redirect.github.com/biiab)! - fix(stateDiagram): `end note` now only closes a note when used on a new line - [#​7737](https://redirect.github.com/mermaid-js/mermaid/pull/7737) [`faafb5d`](https://redirect.github.com/mermaid-js/mermaid/commit/faafb5d49106dd32c367f3882505f2dd625aa30e) Thanks [@​ashishjain0512](https://redirect.github.com/ashishjain0512)! - fix(gantt): add iteration limit for `excludes` field - [#​7737](https://redirect.github.com/mermaid-js/mermaid/pull/7737) [`65f8be2`](https://redirect.github.com/mermaid-js/mermaid/commit/65f8be2a42faf869b811469571983cba7eeeca99) Thanks [@​ashishjain0512](https://redirect.github.com/ashishjain0512)! - fix: disallow some CSS at-rules in custom CSS - [#​7726](https://redirect.github.com/mermaid-js/mermaid/pull/7726) [`1502f32`](https://redirect.github.com/mermaid-js/mermaid/commit/1502f32f3c5fb944925b0c527fbbde3c4f041824) Thanks [@​aloisklink](https://redirect.github.com/aloisklink)! - fix(wardley): fix unnecessary sanitization of text - [#​7578](https://redirect.github.com/mermaid-js/mermaid/pull/7578) [`1f98db8`](https://redirect.github.com/mermaid-js/mermaid/commit/1f98db8e326299ac97a2fa60abfd509d8f5f16e2) Thanks [@​Gaston202](https://redirect.github.com/Gaston202)! - fix(class): self-referential class multiplicity labels no longer rendered multiple times Fixes [#​7560](https://redirect.github.com/mermaid-js/mermaid/issues/7560). Resolves an issue where cardinality labels on self-referential class relationships were rendered three times due to edge splitting in the dagre layout. The fix ensures that each sub-edge only carries its relevant label positions. - [#​7592](https://redirect.github.com/mermaid-js/mermaid/pull/7592) [`2343e38`](https://redirect.github.com/mermaid-js/mermaid/commit/2343e38498a3b31f8ce5e79f1f009e0b56fbe086) Thanks [@​knsv-bot](https://redirect.github.com/knsv-bot)! - fix(sequence): add background box behind alt/else section title labels in sequence diagrams - [#​7589](https://redirect.github.com/mermaid-js/mermaid/pull/7589) [`7fb9509`](https://redirect.github.com/mermaid-js/mermaid/commit/7fb9509b8b5cb1dc48519dc60cf6cdc6afba0462) Thanks [@​NYCU-Chung](https://redirect.github.com/NYCU-Chung)! - fix(block): prevent column widths from shrinking when mixing different column spans - [#​7632](https://redirect.github.com/mermaid-js/mermaid/pull/7632) [`3f9e0f1`](https://redirect.github.com/mermaid-js/mermaid/commit/3f9e0f15bedc1e2c71ddb6b34192d1a21124cfc2) Thanks [@​ekiauhce](https://redirect.github.com/ekiauhce)! - fix(sequence): correct messageAlign label position for right-to-left arrows in sequence diagrams - [#​7642](https://redirect.github.com/mermaid-js/mermaid/pull/7642) [`7a8fb85`](https://redirect.github.com/mermaid-js/mermaid/commit/7a8fb8532c57ecc55b3711454ab0e505a4291445) Thanks [@​tractorjuice](https://redirect.github.com/tractorjuice)! - fix(wardley): allow hyphens in unquoted component names Multi-word names containing hyphens — e.g. `real-time processing`, `end-user`, `on-call engineer` — now parse without quoting, bringing the grammar in line with the OnlineWardleyMaps (OWM) convention. `A->B` (no-space arrow) still tokenises correctly. - [#​7523](https://redirect.github.com/mermaid-js/mermaid/pull/7523) [`5144ed4`](https://redirect.github.com/mermaid-js/mermaid/commit/5144ed4b138ae0f4836bab4c163c575e0a767dd3) Thanks [@​darshanr0107](https://redirect.github.com/darshanr0107)! - fix(block): Arrow blocks in block-beta diagrams not spanning the specified number of columns when using `:n` syntax. - [#​7262](https://redirect.github.com/mermaid-js/mermaid/pull/7262) [`13d9bfa`](https://redirect.github.com/mermaid-js/mermaid/commit/13d9bfa4748e845a9eec7d6265ba496d2278f26e) Thanks [@​darshanr0107](https://redirect.github.com/darshanr0107)! - fix(block): Ensure block diagram hexagon blocks respect column spanning syntax - [#​7684](https://redirect.github.com/mermaid-js/mermaid/pull/7684) [`e14bb88`](https://redirect.github.com/mermaid-js/mermaid/commit/e14bb88bdb940124cdb0a107025653bf93745c99) Thanks [@​aloisklink](https://redirect.github.com/aloisklink)! - fix: loosen `uuid` dependency range to allow v14 Mermaid does not use any of the vulnerable code in CVE-2026-41907, but this allows users to silence any `npm audit` alerts on it. - [#​7633](https://redirect.github.com/mermaid-js/mermaid/pull/7633) [`9217c0d`](https://redirect.github.com/mermaid-js/mermaid/commit/9217c0d8b221b423af80e420b7adae901acf6c8c) Thanks [@​Felix-Garci](https://redirect.github.com/Felix-Garci)! - fix(block): add support for all arrow types in block diagrams - [#​7587](https://redirect.github.com/mermaid-js/mermaid/pull/7587) [`5e7eb62`](https://redirect.github.com/mermaid-js/mermaid/commit/5e7eb62e3aba6b5df559f5c839a868e5b7f40e72) Thanks [@​MaddyGuthridge](https://redirect.github.com/MaddyGuthridge)! - chore: drop lodash-es in favour of es-toolkit - [#​7693](https://redirect.github.com/mermaid-js/mermaid/pull/7693) [`afaf306`](https://redirect.github.com/mermaid-js/mermaid/commit/afaf3062381d115d66744413151b642f124dd9ba) Thanks [@​dull-bird](https://redirect.github.com/dull-bird)! - fix(quadrant-chart): allow CJK, emoji, Latin-1 accented characters, and other non-ASCII text in unquoted axis/quadrant/point labels. Previously the lexer only matched ASCII `[A-Za-z]+` for text tokens, even though the grammar referenced `UNICODE_TEXT`. Bare Chinese, Japanese, Korean, emoji, and accented Latin characters in labels caused a parse error. Added a `[^\x00-\x7F]+` lexer rule to emit `UNICODE_TEXT` and included it in the `alphaNumToken` grammar rule. Fixes [#​7120](https://redirect.github.com/mermaid-js/mermaid/issues/7120). - [#​7737](https://redirect.github.com/mermaid-js/mermaid/pull/7737) [`4755553`](https://redirect.github.com/mermaid-js/mermaid/commit/4755553d5fb6d1217809e43ffb8fc54d6a73e482) Thanks [@​ashishjain0512](https://redirect.github.com/ashishjain0512)! - fix: improve D3 types for mermaidAPI funcs - [#​7737](https://redirect.github.com/mermaid-js/mermaid/pull/7737) [`6476973`](https://redirect.github.com/mermaid-js/mermaid/commit/64769738d5b59211e1decb471ffbaca8afec51aa) Thanks [@​ashishjain0512](https://redirect.github.com/ashishjain0512)! - fix: handle `&` when namespacing CSS rules - [#​7520](https://redirect.github.com/mermaid-js/mermaid/pull/7520) [`8c1a0c1`](https://redirect.github.com/mermaid-js/mermaid/commit/8c1a0c1fd19587c6772d6966fe9d217e5cd1356c) Thanks [@​RodrigojndSantos](https://redirect.github.com/RodrigojndSantos)! - fix(stateDiagram): comments starting with one `%` are no longer treated as comments Switch to using two `%%` if you want to write a comment. - Updated dependencies \[[`7a8fb85`](https://redirect.github.com/mermaid-js/mermaid/commit/7a8fb8532c57ecc55b3711454ab0e505a4291445), [`675a64c`](https://redirect.github.com/mermaid-js/mermaid/commit/675a64ca0e3cde8728ca715991623c3fc055ce88)]: - [@​mermaid-js/parser](https://redirect.github.com/mermaid-js/parser)@​1.1.1 </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - "" - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> --------- Co-authored-by: silverwind <me@silverwind.io> Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com>
import {env} from 'node:process';
import {test, expect} from '@playwright/test';
import {apiCreateRepo, randomString} from './utils.ts';
test('repo readme', async ({page}) => {
const repoName = `e2e-readme-${randomString(8)}`;
await apiCreateRepo(page.request, {name: repoName});
await page.goto(`/${env.GITEA_TEST_E2E_USER}/${repoName}`);
await expect(page.locator('#readme')).toContainText(repoName);
});