CVE-2025-26791 impacting Mermaid 10.9.3 due to its dependency on dompurify@^3.0.5 <3.1.7 #6328
Labels
Status: Triage
Needs to be verified, categorized, etc
Type: Bug / Error
Something isn't working or is incorrect
Comments
sstchur
added
Status: Triage
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
This CVE: dompurify@^3.0.5 <3.1.7 is impacting user of Mermaid 10.9.3 because it depends on [email protected] < 3.1.7
There is a fix in dompurify, but it's in version @^3.2.4.
In the project I work on, we can't easily move to Mermaid 11.x because of having already received security sign off for 10.9.3 (but not any newer version).
Is there a plan to patch Mermaid 10.9.x so that it can consume dompurify 3.2.4?
Steps to reproduce
No explicit steps to reproduce, but if you have a system that alerts you of new CVEs, and if you're using Mermaid 10.9.3, you'll see that you are vulnerable due to using a vulnerable version of dompurify.
Screenshots
No response
Code Sample
Setup
Suggested Solutions
No response
Additional Context
No response
The text was updated successfully, but these errors were encountered: