What is CVE-2022-31108?

CVE-2022-31108 is a medium-severity vulnerability in Mermaid-js Mermaid, classified under Improper Neutralization of Special Elements in Output Used by a Downstream Component (Injection). CVSS score: 4.1/10. Published 2022-06-28.

How severe is CVE-2022-31108?

Medium severity. CVSS v3 base score is 4.1 out of 10.

Vulnerability in Mermaid-js Mermaid

CVE-2022-31108

Mermaid is a JavaScript based diagramming and charting tool that uses Markdown-inspired text definitions and a renderer to create and modify complex diagrams. An attacker is able to inject arbitrary `CSS` into the generated graph allowing…

EPSS: 0.002 (46.7th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 4.1 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N.

Affected products

Mermaid-js Mermaid — versions >= 8.0.0, < 9.1.3

Weakness classification (CWE)

CWE-74 — Improper Neutralization of Special Elements in Output Used by a Downstream Component (Injection)

References

github.com/mermaid-js/mermaid/security/advisories/GHSA-x3vm-38hw-55wf (x_refsource_CONFIRM)
github.com/mermaid-js/mermaid/commit/0ae1bdb61adff1cd485caff8c62ec6b8ac57b225 (x_refsource_MISC)

Frequently asked questions

What is CVE-2022-31108?: CVE-2022-31108 is a medium-severity vulnerability in Mermaid-js Mermaid, classified under Improper Neutralization of Special Elements in Output Used by a Downstream Component (Injection). CVSS score: 4.1/10. Published 2022-06-28.
How severe is CVE-2022-31108?: Medium severity. CVSS v3 base score is 4.1 out of 10.