CVE-2022-36036: 
JavaScript vulnerability analysis and mitigation

CVE-2022-36036 affects mdx-mermaid, a package that provides plug and play access to Mermaid in MDX. The vulnerability was discovered and disclosed in August 2022, affecting versions less than 1.3.0 and 2.0.0-rc1. This security issue allows for potential arbitrary JavaScript injection through mermaid code blocks (NVD).

The vulnerability is classified as an Improper Control of Generation of Code (Code Injection) with a CVSS v3.1 base score of 3.6 (Low severity). The attack vector is Local (AV:L), with High attack complexity (AC:H), requiring Low privileges (PR:L), and No user interaction (UI:N). The scope is Unchanged (S:U) with Low impacts on both Confidentiality (C:L) and Integrity (I:L), and No impact on Availability (A:N) (GitHub Advisory).

The vulnerability allows attackers to inject and execute arbitrary JavaScript code when the component is loaded by MDXjs. This can be achieved by modifying mermaid code blocks with malicious JavaScript code that executes upon component loading (GitHub Advisory).

The vulnerability has been patched in versions 1.3.0 and 2.0.0-rc2. No known workarounds are available for affected versions. Users are advised to upgrade to the patched versions (GitHub Advisory).