CVE-2021-43861

HIGH

mermaid < 8.13.8 - Remote Code Execution via Malicious Diagram

Title source: llm
STIX 2.1

Description

Mermaid is a Javascript based diagramming and charting tool that uses Markdown-inspired text definitions and a renderer to create and modify complex diagrams. Prior to version 8.13.8, malicious diagrams can run javascript code at diagram readers' machines. Users should upgrade to version 8.13.8 to receive a patch. There are no known workarounds aside from upgrading.

References (3)

Core 3
Core References
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/mermaid-js/mermaid/releases/tag/8.13.8

Scores

CVSS v3 7.2
EPSS 0.0091
EPSS Percentile 55.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-20 CWE-79
Status published
Products (2)
mermaid_project/mermaid < 8.13.8
npm/mermaid 0 - 8.13.8npm
Published Dec 30, 2021
Tracked Since Feb 18, 2026