CVE-2022-31108: 
JavaScript vulnerability analysis and mitigation

CVE-2022-31108 is a CSS injection vulnerability discovered in mermaid.js versions 8+ that was disclosed on June 28, 2022. The vulnerability allows attackers to inject arbitrary CSS into generated graphs, potentially affecting elements outside the intended scope. The issue was identified in mermaid.js version 9.1.1 and was patched in version 9.1.2 (GitHub Advisory).

The vulnerability stems from insufficient sanitization of theme variables in the getStyles function within src/styles.js. By manipulating the textColor theme variable, attackers can inject malicious CSS rules into the document. For example, setting textColor to 'green;} #target { background-color: crimson }' allows styling of arbitrary elements outside the SVG scope. The issue affects multiple functions that handle style modifications (GitHub Advisory).

The vulnerability enables information disclosure through CSS selectors and functions capable of generating HTTP requests. Attackers can exploit this to exfiltrate sensitive information by bruteforcing input field values using specially crafted CSS selectors. Additionally, the vulnerability allows attackers to modify document styling in ways that could lead users to perform unintended actions (GitHub Advisory, Security Lab).

The vulnerability was patched in mermaid.js version 9.1.2. The fix involves proper sanitization of user input before embedding it in CSS blocks. Users should upgrade to version 9.1.2 or later to mitigate this vulnerability (GitHub Advisory).