CVE-2021-43861 – CVE-2021-43861 is a cross-site scripting (XSS) ... (How to Fix)

Q: What is the severity of CVE-2021-43861?

CVE-2021-43861 has a CVSS score of 7.2 (HIGH). CVE-2021-43861 is a cross-site scripting (XSS) vulnerability in Mermaid diagramming tool that allows malicious diagrams to execute arbitrary JavaScript code in users' browsers. This affects anyone using Mermaid versions before 8.13.8 to render diagrams from untrusted sources. The vulnerability enables attackers to steal session cookies, perform actions as the victim, or redirect users to malicious sites.

📋 TL;DR

CVE-2021-43861 is a cross-site scripting (XSS) vulnerability in Mermaid diagramming tool that allows malicious diagrams to execute arbitrary JavaScript code in users' browsers. This affects anyone using Mermaid versions before 8.13.8 to render diagrams from untrusted sources. The vulnerability enables attackers to steal session cookies, perform actions as the victim, or redirect users to malicious sites.

💻 Affected Systems

Products:

Mermaid

Versions: All versions before 8.13.8

Operating Systems: All platforms running JavaScript

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in the default rendering configuration when processing untrusted diagram definitions.

📦 What is this software?

Mermaid by Mermaid Project

View all CVEs affecting Mermaid →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete account takeover, data theft, and malware installation on affected systems through JavaScript execution in victim's browser context.

🟠

Likely Case

Session hijacking, credential theft, and unauthorized actions performed in the context of the logged-in user.

🟢

If Mitigated

Limited impact if proper content security policies are enforced and diagrams are only rendered from trusted sources.

🌐 Internet-Facing: HIGH - Any web application using vulnerable Mermaid versions to render user-supplied diagrams is exposed to XSS attacks.

🏢 Internal Only: MEDIUM - Internal applications could still be exploited if users access malicious diagrams, but attack surface is reduced.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only the ability to inject malicious diagram definitions into a vulnerable Mermaid instance.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.13.8

Vendor Advisory: https://github.com/mermaid-js/mermaid/security/advisories/GHSA-p3rp-vmj9-gv6v

Restart Required: No

Instructions:

1. Update Mermaid package to version 8.13.8 or later. 2. For npm: 'npm update mermaid'. 3. For yarn: 'yarn upgrade mermaid'. 4. Verify the update completed successfully.

🔧 Temporary Workarounds

Content Security Policy

all

Implement strict Content Security Policy headers to restrict script execution

Content-Security-Policy: script-src 'self'

Input Sanitization

all

Sanitize all user-supplied diagram definitions before processing

🧯 If You Can't Patch

Disable Mermaid rendering for untrusted user content
Implement strict Content Security Policies and input validation

🔍 How to Verify

Check if Vulnerable:

Check if Mermaid version is below 8.13.8 in package.json or via package manager

Check Version:

npm list mermaid | grep mermaid

Verify Fix Applied:

Confirm Mermaid version is 8.13.8 or higher and test with known malicious diagram definitions

📡 Detection & Monitoring

Log Indicators:

Unusual JavaScript execution in diagram rendering contexts
Multiple failed diagram parsing attempts

Network Indicators:

Unexpected outbound connections from diagram rendering pages
Suspicious script loading in diagram contexts

SIEM Query:

source="web_logs" AND (uri="*mermaid*" OR user_agent="*mermaid*") AND (status=500 OR response_time>5000)

📊 Metadata

CVE ID: CVE-2021-43861

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-20

Published: December 30, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/mermaid-js/mermaid/commit/066b7a0d0bda274d94a2f2d21e4323dab5776d83 Patch,Third Party Advisory
https://github.com/mermaid-js/mermaid/releases/tag/8.13.8 Release Notes,Third Party Advisory
https://github.com/mermaid-js/mermaid/security/advisories/GHSA-p3rp-vmj9-gv6v Third Party Advisory
https://github.com/mermaid-js/mermaid/commit/066b7a0d0bda274d94a2f2d21e4323dab5776d83 Patch,Third Party Advisory
https://github.com/mermaid-js/mermaid/releases/tag/8.13.8 Release Notes,Third Party Advisory
https://github.com/mermaid-js/mermaid/security/advisories/GHSA-p3rp-vmj9-gv6v Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-43861, you might also want to check these: