GHSA-m4gq-x24j-jpmf: 
JavaScript vulnerability analysis and mitigation

A high-severity prototype pollution vulnerability was discovered in Mermaid's bundled version of DOMPurify, identified as GHSA-m4gq-x24j-jpmf. The vulnerability affects Mermaid versions <= 10.9.2 and was patched in versions 10.9.3 and 11.0.0. The issue specifically impacts the bundled files within the Mermaid NPM package, including dist/mermaid.min.js, dist/mermaid.js, dist/mermaid.esm.mjs, and dist/mermaid.esm.min.mjs, which contain a vulnerable version of DOMPurify (GitHub Advisory).

The vulnerability has been assigned a CVSS v3.1 score of 7.0 (High), with a vector string of CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L. The issue stems from the bundled version of DOMPurify that is vulnerable to GHSA-mmhx-hmjr-r674, which could potentially result in an XSS attack. The vulnerability is particularly concerning for users accessing the affected files via CDN links, such as https://cdn.jsdelivr.net/npm/mermaid@10.9.2/dist/mermaid.min.js (GitHub Advisory).

The vulnerability can potentially lead to XSS (Cross-Site Scripting) attacks. It affects both the confidentiality and integrity of systems using the vulnerable versions, with a particularly high impact on data integrity. The vulnerability has low impact on confidentiality and availability but high impact on integrity of the affected systems (GitHub Advisory).

Users are advised to upgrade to Mermaid version 10.9.3 or later. Those using the default NPM export of mermaid (import mermaid from 'mermaid') or the dist/mermaid.core.mjs file are not affected by this vulnerability and can update using their package manager with 'npm audit fix'. The fixes have been implemented in the develop branch (6c785c9) and backported to v10 (92a07ff) (GitHub Advisory).