mirror of
https://github.com/go-gitea/gitea.git
synced 2026-05-13 17:04:36 +00:00
6a27066269
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [mermaid](https://redirect.github.com/mermaid-js/mermaid) | [`11.14.0` → `11.15.0`](https://renovatebot.com/diffs/npm/mermaid/11.14.0/11.15.0) |  |  | --- ### Mermaid: Improper sanitization of `classDefs` in diagrams leads to CSS injection [CVE-2026-41148](https://nvd.nist.gov/vuln/detail/CVE-2026-41148) / [GHSA-xcj9-5m2h-648r](https://redirect.github.com/advisories/GHSA-xcj9-5m2h-648r) <details> <summary>More information</summary> #### Details ##### Details The state diagram and any other diagram type that routes user-controlled style strings through createCssStyles parser for Mermaid v11.14.0 and earlier captures `classDef` values with an unrestricted regex: ```jison // packages/mermaid/src/diagrams/state/parser/stateDiagram.jison:83 <CLASSDEFID>[^\n]* { this.popState(); return 'CLASSDEF_STYLEOPTS' } ``` The value passes unsanitized through `addStyleClass()` -> `createCssStyles()` -> `style.innerHTML` (mermaidAPI.ts:418). A `}` in the value closes the generated CSS selector, and everything after becomes a new CSS rule on the page. ##### PoC ``` stateDiagram-v2 classDef x }*{ background-image: url("http://media.giphy.com/media/SggILpMXO7Xt6/giphy.gif")} ``` Live demo: <https://mermaid.live/edit#pako:eNpFjzFvgzAQhf-KdVNbEcBgMHhtlkqtOnSJKi8ONsYKBmRMlRTx3-skanvTfbp7996t0IxSAYPZC6_2Rmgn7O4rQ00v5nmvWnRG29OKjqI5aTcug9wZK7RiaHH9A4fO-4kliVXSiFibqbvEzWjvnHxo_fI6vR3e6cGXyX2qTcvhcYMItDMSmHeLisAqZ8UVYeUDQhx8p6ziwEIrhTtx4MNVM4nhcxztrywE0h2wVvRzoGWS_z_8rahBKvcckntgmN5OAFvhDIzUNCZZQXCR5nVaZkUEF2BVFpOcEkoxxhUuyRbB980yjStapKHqoKFlhvPtB7BFZEU> ##### Patches This has been patched in: - [v11.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) (see [e9b0f34d8d82a6260077764ee45e1d7d90957a0f](e9b0f34d8d)) - [v10.9.6](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6) (see [8fead23c59166b7bab6a39eac81acebee2859102](8fead23c59)) ##### Workarounds Setting [`"securityLevel": "sandbox"`](https://mermaid.js.org/config/schema-docs/config.html#securitylevel) will prevent this, by rendering the mermaid diagram in a sandboxed `<iframe>`. ##### Impact Enables page defacement, user tracking via `url()` callbacks, and DOM attribute exfiltration via CSS `:has()` selectors. #### Severity - CVSS Score: 5.3 / 10 (Medium) - Vector String: `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L` #### References - [https://github.com/mermaid-js/mermaid/security/advisories/GHSA-xcj9-5m2h-648r](https://redirect.github.com/mermaid-js/mermaid/security/advisories/GHSA-xcj9-5m2h-648r) - [8fead23c59) - [e9b0f34d8d) - [https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) - [https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6) - [https://mermaid.js.org/config/schema-docs/config.html#securitylevel](https://mermaid.js.org/config/schema-docs/config.html#securitylevel) - [https://github.com/advisories/GHSA-xcj9-5m2h-648r](https://redirect.github.com/advisories/GHSA-xcj9-5m2h-648r) This data is provided by the [GitHub Advisory Database](https://redirect.github.com/advisories/GHSA-xcj9-5m2h-648r) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Mermaid: Improper sanitization of `classDef` in state diagrams leads to HTML injection [CVE-2026-41149](https://nvd.nist.gov/vuln/detail/CVE-2026-41149) / [GHSA-ghcm-xqfw-q4vr](https://redirect.github.com/advisories/GHSA-ghcm-xqfw-q4vr) <details> <summary>More information</summary> #### Details ##### Impact Under the default configuration, Mermaid state diagram's `classDef` allow DOM injection that escapes the SVG, although `<script>` tags are removed, preventing XSS. ##### Proof-of-concept ``` stateDiagram-v2 classDef xss fill:red</style></svg><style>*{x:x;y:y;overflow:visible!important;contain:none!important;transform:none!important;filter:none!important;clip-path:none!important}</style><div style="x:x;y:y;color:red;font:5em/1 monospace;display:grid;place-items:center;z-index:2147483647;width:100vw;height:100vh;position:fixed;top:0;left:0;background:black">HACKED</div><svg><style>a:b [*] --> A:::xss ``` ##### Patches - [v11.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) (see [37ff937f1da2e19f882fd1db01235db4d01f4056](37ff937f1d)) - [v10.9.6](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6) (see [4e2d512bf5bf6f9de1a8f0a48da78dc4d09ac4f3](4e2d512bf5)) ##### Workarounds If you can not update to a patched version, setting [`"securityLevel": "sandbox"`](https://mermaid.js.org/config/schema-docs/config.html#securitylevel) will prevent this, by rendering the mermaid diagram in a sandboxed `<iframe>`. ##### Credits Thanks to @​zsxsoft from @​KeenSecurityLab for reporting this vulnerability. #### Severity - CVSS Score: 5.3 / 10 (Medium) - Vector String: `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L` #### References - [https://github.com/mermaid-js/mermaid/security/advisories/GHSA-ghcm-xqfw-q4vr](https://redirect.github.com/mermaid-js/mermaid/security/advisories/GHSA-ghcm-xqfw-q4vr) - [37ff937f1d) - [4e2d512bf5) - [https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) - [https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6) - [https://mermaid.js.org/config/schema-docs/config.html#securitylevel](https://mermaid.js.org/config/schema-docs/config.html#securitylevel) - [https://github.com/advisories/GHSA-ghcm-xqfw-q4vr](https://redirect.github.com/advisories/GHSA-ghcm-xqfw-q4vr) This data is provided by the [GitHub Advisory Database](https://redirect.github.com/advisories/GHSA-ghcm-xqfw-q4vr) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Mermaid: Improper sanitization of configuration leads to CSS injection [CVE-2026-41159](https://nvd.nist.gov/vuln/detail/CVE-2026-41159) / [GHSA-87f9-hvmw-gh4p](https://redirect.github.com/advisories/GHSA-87f9-hvmw-gh4p) <details> <summary>More information</summary> #### Details ##### Impact Mermaid's default configuration allows injecting CSS that applies outside of the Mermaid diagram via the `fontFamily`, `themeCSS`, and `altFontFamily` configuration options. Live demo: [mermaid.live](https://mermaid.live/edit#pako:eNpNjktLxDAUhf9KvFBR6JS-60QQfODKlUvJ5k6TtsEmKTHFGUP-u-mI6Nmdy3fOPR56wwVQSBIvtXSUeAaD0e4ZlZxPDChhcLxFfwiEauOuLq_9Afv30ZpVczpaITS5kGox1qF2gfSeBwYhJAnThAyz-ewntI68vG5-0z3Z7e7IA9OQwmglB-rsKlJQwircLPgNZeAmocTPAi4GXGfHgOkQYwvqN2PUbzJuGSegA84f0a0LRyeeJI4W_xChubCPcbQD2pwbgHo4Aq2aKmvbqq3zoiu7pizqFE6RybN9VFfFY1HWXRVS-Dr_zLObrt7_V_gGGXZlGg) Example code: ``` %%{init: {"fontFamily": "x;a{b} :not(&){background:green !important} c{d}"}}%% flowchart LR A --> B ``` The injected CSS exploits stylis's `&` (scope reference) handling. `:not(&)` escapes the `#mermaid-xxx` automatic scoping, applying styles to all page elements. Global at-rules (`@font-face`, `@keyframes`, `@counter-style`) are also injectable as stylis hoists them to top level. This allows page defacement and DOM attribute exfiltration via CSS `:has()` selectors. ##### Patches - [v11.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) (see [64769738d5b59211e1decb471ffbaca8afec51aa](64769738d5)) - [v10.9.6](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6) (see [a9d9f0d8eb790349121508688cd338253fd80d76](a9d9f0d8eb)) ##### Workarounds If you can't upgrade mermaid, you can set the [`secure`](https://mermaid.js.org/config/schema-docs/config.html#secure) config value in the mermaid config to avoid allowing diagrams to modify `fontFamily`, `themeCSS`, `altFontFamily`, and `themeVariables`. Setting [`"securityLevel": "sandbox"`](https://mermaid.js.org/config/schema-docs/config.html#securitylevel) will also prevent this. ##### Credits Reported by @​zsxsoft on behalf of @​KeenSecurityLab #### Severity - CVSS Score: 5.3 / 10 (Medium) - Vector String: `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L` #### References - [https://github.com/mermaid-js/mermaid/security/advisories/GHSA-87f9-hvmw-gh4p](https://redirect.github.com/mermaid-js/mermaid/security/advisories/GHSA-87f9-hvmw-gh4p) - [64769738d5) - [a9d9f0d8eb) - [https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) - [https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6) - [https://github.com/advisories/GHSA-87f9-hvmw-gh4p](https://redirect.github.com/advisories/GHSA-87f9-hvmw-gh4p) This data is provided by the [GitHub Advisory Database](https://redirect.github.com/advisories/GHSA-87f9-hvmw-gh4p) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Mermaid Gantt Charts are vulnerable to an Infinite Loop DoS [CVE-2026-41150](https://nvd.nist.gov/vuln/detail/CVE-2026-41150) / [GHSA-6m6c-36f7-fhxh](https://redirect.github.com/advisories/GHSA-6m6c-36f7-fhxh) <details> <summary>More information</summary> #### Details ##### Impact Mermaid v11.14.0 and earlier are vulnerable to a denial-of-service attack when rendering gantt charts, if they use the [`excludes` attribute](https://mermaid.js.org/syntax/gantt.html?#excludes) to exclude all dates. Example: ``` gantt excludes monday,tuesday,wednesday,thursday,friday,saturday,sunday DoS :2025-01-01, 1d ``` `mermaid.parse` is unaffected, unless you then call the `ganttDb.getTasks()` (which is called when rendering a diagram). ##### Patches This has been patched in: - [v11.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) (see [faafb5d49106dd32c367f3882505f2dd625aa30e](faafb5d491)) - [v10.9.6](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6) (see [a59ea56174712ee5430dfd5bc877cb5151f501a6](a59ea56174)) ##### Workarounds There are no workarounds available without updating to a newer version of mermaid. #### Severity - CVSS Score: 5.3 / 10 (Medium) - Vector String: `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L` #### References - [https://github.com/mermaid-js/mermaid/security/advisories/GHSA-6m6c-36f7-fhxh](https://redirect.github.com/mermaid-js/mermaid/security/advisories/GHSA-6m6c-36f7-fhxh) - [a59ea56174) - [faafb5d491) - [https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) - [https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6) - [https://github.com/advisories/GHSA-6m6c-36f7-fhxh](https://redirect.github.com/advisories/GHSA-6m6c-36f7-fhxh) This data is provided by the [GitHub Advisory Database](https://redirect.github.com/advisories/GHSA-6m6c-36f7-fhxh) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Mermaid Gantt Charts are vulnerable to an Infinite Loop DoS [CVE-2026-41150](https://nvd.nist.gov/vuln/detail/CVE-2026-41150) / [GHSA-6m6c-36f7-fhxh](https://redirect.github.com/advisories/GHSA-6m6c-36f7-fhxh) <details> <summary>More information</summary> #### Details ##### Impact Mermaid v11.14.0 and earlier are vulnerable to a denial-of-service attack when rendering gantt charts, if they use the [`excludes` attribute](https://mermaid.js.org/syntax/gantt.html?#excludes) to exclude all dates. Example: ``` gantt excludes monday,tuesday,wednesday,thursday,friday,saturday,sunday DoS :2025-01-01, 1d ``` `mermaid.parse` is unaffected, unless you then call the `ganttDb.getTasks()` (which is called when rendering a diagram). ##### Patches This has been patched in: - [v11.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) (see [faafb5d49106dd32c367f3882505f2dd625aa30e](faafb5d491)) - [v10.9.6](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6) (see [a59ea56174712ee5430dfd5bc877cb5151f501a6](a59ea56174)) ##### Workarounds There are no workarounds available without updating to a newer version of mermaid. #### Severity - CVSS Score: 5.3 / 10 (Medium) - Vector String: `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L` #### References - [https://github.com/mermaid-js/mermaid/security/advisories/GHSA-6m6c-36f7-fhxh](https://redirect.github.com/mermaid-js/mermaid/security/advisories/GHSA-6m6c-36f7-fhxh) - [a59ea56174) - [faafb5d491) - [https://github.com/mermaid-js/mermaid](https://redirect.github.com/mermaid-js/mermaid) - [https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) - [https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-6m6c-36f7-fhxh) and the [GitHub Advisory Database](https://redirect.github.com/github/advisory-database) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Mermaid: Improper sanitization of configuration leads to CSS injection [CVE-2026-41159](https://nvd.nist.gov/vuln/detail/CVE-2026-41159) / [GHSA-87f9-hvmw-gh4p](https://redirect.github.com/advisories/GHSA-87f9-hvmw-gh4p) <details> <summary>More information</summary> #### Details ##### Impact Mermaid's default configuration allows injecting CSS that applies outside of the Mermaid diagram via the `fontFamily`, `themeCSS`, and `altFontFamily` configuration options. Live demo: [mermaid.live](https://mermaid.live/edit#pako:eNpNjktLxDAUhf9KvFBR6JS-60QQfODKlUvJ5k6TtsEmKTHFGUP-u-mI6Nmdy3fOPR56wwVQSBIvtXSUeAaD0e4ZlZxPDChhcLxFfwiEauOuLq_9Afv30ZpVczpaITS5kGox1qF2gfSeBwYhJAnThAyz-ewntI68vG5-0z3Z7e7IA9OQwmglB-rsKlJQwircLPgNZeAmocTPAi4GXGfHgOkQYwvqN2PUbzJuGSegA84f0a0LRyeeJI4W_xChubCPcbQD2pwbgHo4Aq2aKmvbqq3zoiu7pizqFE6RybN9VFfFY1HWXRVS-Dr_zLObrt7_V_gGGXZlGg) Example code: ``` %%{init: {"fontFamily": "x;a{b} :not(&){background:green !important} c{d}"}}%% flowchart LR A --> B ``` The injected CSS exploits stylis's `&` (scope reference) handling. `:not(&)` escapes the `#mermaid-xxx` automatic scoping, applying styles to all page elements. Global at-rules (`@font-face`, `@keyframes`, `@counter-style`) are also injectable as stylis hoists them to top level. This allows page defacement and DOM attribute exfiltration via CSS `:has()` selectors. ##### Patches - [v11.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) (see [64769738d5b59211e1decb471ffbaca8afec51aa](64769738d5)) - [v10.9.6](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6) (see [a9d9f0d8eb790349121508688cd338253fd80d76](a9d9f0d8eb)) ##### Workarounds If you can't upgrade mermaid, you can set the [`secure`](https://mermaid.js.org/config/schema-docs/config.html#secure) config value in the mermaid config to avoid allowing diagrams to modify `fontFamily`, `themeCSS`, `altFontFamily`, and `themeVariables`. Setting [`"securityLevel": "sandbox"`](https://mermaid.js.org/config/schema-docs/config.html#securitylevel) will also prevent this. ##### Credits Reported by @​zsxsoft on behalf of @​KeenSecurityLab #### Severity - CVSS Score: 5.3 / 10 (Medium) - Vector String: `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L` #### References - [https://github.com/mermaid-js/mermaid/security/advisories/GHSA-87f9-hvmw-gh4p](https://redirect.github.com/mermaid-js/mermaid/security/advisories/GHSA-87f9-hvmw-gh4p) - [64769738d5) - [a9d9f0d8eb) - [https://github.com/mermaid-js/mermaid](https://redirect.github.com/mermaid-js/mermaid) - [https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) - [https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-87f9-hvmw-gh4p) and the [GitHub Advisory Database](https://redirect.github.com/github/advisory-database) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Mermaid: Improper sanitization of `classDef` in state diagrams leads to HTML injection [CVE-2026-41149](https://nvd.nist.gov/vuln/detail/CVE-2026-41149) / [GHSA-ghcm-xqfw-q4vr](https://redirect.github.com/advisories/GHSA-ghcm-xqfw-q4vr) <details> <summary>More information</summary> #### Details ##### Impact Under the default configuration, Mermaid state diagram's `classDef` allow DOM injection that escapes the SVG, although `<script>` tags are removed, preventing XSS. ##### Proof-of-concept ``` stateDiagram-v2 classDef xss fill:red</style></svg><style>*{x:x;y:y;overflow:visible!important;contain:none!important;transform:none!important;filter:none!important;clip-path:none!important}</style><div style="x:x;y:y;color:red;font:5em/1 monospace;display:grid;place-items:center;z-index:2147483647;width:100vw;height:100vh;position:fixed;top:0;left:0;background:black">HACKED</div><svg><style>a:b [*] --> A:::xss ``` ##### Patches - [v11.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) (see [37ff937f1da2e19f882fd1db01235db4d01f4056](37ff937f1d)) - [v10.9.6](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6) (see [4e2d512bf5bf6f9de1a8f0a48da78dc4d09ac4f3](4e2d512bf5)) ##### Workarounds If you can not update to a patched version, setting [`"securityLevel": "sandbox"`](https://mermaid.js.org/config/schema-docs/config.html#securitylevel) will prevent this, by rendering the mermaid diagram in a sandboxed `<iframe>`. ##### Credits Thanks to @​zsxsoft from @​KeenSecurityLab for reporting this vulnerability. #### Severity - CVSS Score: 5.3 / 10 (Medium) - Vector String: `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L` #### References - [https://github.com/mermaid-js/mermaid/security/advisories/GHSA-ghcm-xqfw-q4vr](https://redirect.github.com/mermaid-js/mermaid/security/advisories/GHSA-ghcm-xqfw-q4vr) - [37ff937f1d) - [4e2d512bf5) - [https://github.com/mermaid-js/mermaid](https://redirect.github.com/mermaid-js/mermaid) - [https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) - [https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6) - [https://mermaid.js.org/config/schema-docs/config.html#securitylevel](https://mermaid.js.org/config/schema-docs/config.html#securitylevel) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-ghcm-xqfw-q4vr) and the [GitHub Advisory Database](https://redirect.github.com/github/advisory-database) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Mermaid: Improper sanitization of `classDefs` in diagrams leads to CSS injection [CVE-2026-41148](https://nvd.nist.gov/vuln/detail/CVE-2026-41148) / [GHSA-xcj9-5m2h-648r](https://redirect.github.com/advisories/GHSA-xcj9-5m2h-648r) <details> <summary>More information</summary> #### Details ##### Details The state diagram and any other diagram type that routes user-controlled style strings through createCssStyles parser for Mermaid v11.14.0 and earlier captures `classDef` values with an unrestricted regex: ```jison // packages/mermaid/src/diagrams/state/parser/stateDiagram.jison:83 <CLASSDEFID>[^\n]* { this.popState(); return 'CLASSDEF_STYLEOPTS' } ``` The value passes unsanitized through `addStyleClass()` -> `createCssStyles()` -> `style.innerHTML` (mermaidAPI.ts:418). A `}` in the value closes the generated CSS selector, and everything after becomes a new CSS rule on the page. ##### PoC ``` stateDiagram-v2 classDef x }*{ background-image: url("http://media.giphy.com/media/SggILpMXO7Xt6/giphy.gif")} ``` Live demo: <https://mermaid.live/edit#pako:eNpFjzFvgzAQhf-KdVNbEcBgMHhtlkqtOnSJKi8ONsYKBmRMlRTx3-skanvTfbp7996t0IxSAYPZC6_2Rmgn7O4rQ00v5nmvWnRG29OKjqI5aTcug9wZK7RiaHH9A4fO-4kliVXSiFibqbvEzWjvnHxo_fI6vR3e6cGXyX2qTcvhcYMItDMSmHeLisAqZ8UVYeUDQhx8p6ziwEIrhTtx4MNVM4nhcxztrywE0h2wVvRzoGWS_z_8rahBKvcckntgmN5OAFvhDIzUNCZZQXCR5nVaZkUEF2BVFpOcEkoxxhUuyRbB980yjStapKHqoKFlhvPtB7BFZEU> ##### Patches This has been patched in: - [v11.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) (see [e9b0f34d8d82a6260077764ee45e1d7d90957a0f](e9b0f34d8d)) - [v10.9.6](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6) (see [8fead23c59166b7bab6a39eac81acebee2859102](8fead23c59)) ##### Workarounds Setting [`"securityLevel": "sandbox"`](https://mermaid.js.org/config/schema-docs/config.html#securitylevel) will prevent this, by rendering the mermaid diagram in a sandboxed `<iframe>`. ##### Impact Enables page defacement, user tracking via `url()` callbacks, and DOM attribute exfiltration via CSS `:has()` selectors. #### Severity - CVSS Score: 5.3 / 10 (Medium) - Vector String: `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L` #### References - [https://github.com/mermaid-js/mermaid/security/advisories/GHSA-xcj9-5m2h-648r](https://redirect.github.com/mermaid-js/mermaid/security/advisories/GHSA-xcj9-5m2h-648r) - [8fead23c59) - [e9b0f34d8d) - [https://github.com/mermaid-js/mermaid](https://redirect.github.com/mermaid-js/mermaid) - [https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) - [https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6) - [https://mermaid.js.org/config/schema-docs/config.html#securitylevel](https://mermaid.js.org/config/schema-docs/config.html#securitylevel) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-xcj9-5m2h-648r) and the [GitHub Advisory Database](https://redirect.github.com/github/advisory-database) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Release Notes <details> <summary>mermaid-js/mermaid (mermaid)</summary> ### [`v11.15.0`](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) [Compare Source](https://redirect.github.com/mermaid-js/mermaid/compare/mermaid@11.14.0...mermaid@11.15.0) ##### Minor Changes - [#​7174](https://redirect.github.com/mermaid-js/mermaid/pull/7174) [`0aca217`](0aca21739c) Thanks [@​milesspencer35](https://redirect.github.com/milesspencer35)! - feat(sequence): Add support for decimal start and increment values in the `autonumber` directive - [#​7512](https://redirect.github.com/mermaid-js/mermaid/pull/7512) [`8e17492`](8e17492f73) Thanks [@​aruncveli](https://redirect.github.com/aruncveli)! - feat(flowchart): add datastore shape In Data flow diagrams, a datastore/warehouse/file/database is used to represent data persistence. It is denoted by a rectangle with only top and bottom borders, and can be used in flowcharts with `A@{ shape: datastore, label: "Datastore" }`. - [#​6440](https://redirect.github.com/mermaid-js/mermaid/pull/6440) [`9ad8dde`](9ad8dde6d0) Thanks [@​yordis](https://redirect.github.com/yordis), [@​lgazo](https://redirect.github.com/lgazo)! - feat: add Event Modeling diagram - [#​7707](https://redirect.github.com/mermaid-js/mermaid/pull/7707) [`27db774`](27db774627) Thanks [@​txmxthy](https://redirect.github.com/txmxthy)! - feat(architecture): expose four fcose layout knobs for `architecture-beta` diagrams (`nodeSeparation`, `idealEdgeLengthMultiplier`, `edgeElasticity`, `numIter`) so authors can tune layout density and spread overlapping siblings without changing diagram source - [#​7604](https://redirect.github.com/mermaid-js/mermaid/pull/7604) [`bf9502f`](bf9502fb60) Thanks [@​M-a-c](https://redirect.github.com/M-a-c)! - feat(class): add nested namespace support for class diagrams via dot notation and syntactic nesting If you have namespaces in class diagrams that use `.`s already and want to render them without nesting (≤v11.14.0 behaviour), you can use set `class.hierarchicalNamespaces=false` in your mermaid config: ```yaml config: class: hierarchicalNamespaces: false ``` - [#​7272](https://redirect.github.com/mermaid-js/mermaid/pull/7272) [`88cdd3d`](88cdd3dc0a) Thanks [@​xinbenlv](https://redirect.github.com/xinbenlv)! - feat(sankey): add outlined label style, configurable nodeWidth/nodePadding, and custom node colors ##### Patch Changes - [#​7737](https://redirect.github.com/mermaid-js/mermaid/pull/7737) [`e9b0f34`](e9b0f34d8d) Thanks [@​ashishjain0512](https://redirect.github.com/ashishjain0512)! - fix: prevent unbalanced CSS styles in classDefs - [#​7737](https://redirect.github.com/mermaid-js/mermaid/pull/7737) [`37ff937`](37ff937f1d) Thanks [@​ashishjain0512](https://redirect.github.com/ashishjain0512)! - fix: create CSS styles using the CSSOM This removes some invalid CSS and normalizes some CSS formatting. - [#​7508](https://redirect.github.com/mermaid-js/mermaid/pull/7508) [`bfe60cc`](bfe60cc67b) Thanks [@​biiab](https://redirect.github.com/biiab)! - fix(stateDiagram): `end note` now only closes a note when used on a new line - [#​7737](https://redirect.github.com/mermaid-js/mermaid/pull/7737) [`faafb5d`](faafb5d491) Thanks [@​ashishjain0512](https://redirect.github.com/ashishjain0512)! - fix(gantt): add iteration limit for `excludes` field - [#​7737](https://redirect.github.com/mermaid-js/mermaid/pull/7737) [`65f8be2`](65f8be2a42) Thanks [@​ashishjain0512](https://redirect.github.com/ashishjain0512)! - fix: disallow some CSS at-rules in custom CSS - [#​7726](https://redirect.github.com/mermaid-js/mermaid/pull/7726) [`1502f32`](1502f32f3c) Thanks [@​aloisklink](https://redirect.github.com/aloisklink)! - fix(wardley): fix unnecessary sanitization of text - [#​7578](https://redirect.github.com/mermaid-js/mermaid/pull/7578) [`1f98db8`](1f98db8e32) Thanks [@​Gaston202](https://redirect.github.com/Gaston202)! - fix(class): self-referential class multiplicity labels no longer rendered multiple times Fixes [#​7560](https://redirect.github.com/mermaid-js/mermaid/issues/7560). Resolves an issue where cardinality labels on self-referential class relationships were rendered three times due to edge splitting in the dagre layout. The fix ensures that each sub-edge only carries its relevant label positions. - [#​7592](https://redirect.github.com/mermaid-js/mermaid/pull/7592) [`2343e38`](2343e38498) Thanks [@​knsv-bot](https://redirect.github.com/knsv-bot)! - fix(sequence): add background box behind alt/else section title labels in sequence diagrams - [#​7589](https://redirect.github.com/mermaid-js/mermaid/pull/7589) [`7fb9509`](7fb9509b8b) Thanks [@​NYCU-Chung](https://redirect.github.com/NYCU-Chung)! - fix(block): prevent column widths from shrinking when mixing different column spans - [#​7632](https://redirect.github.com/mermaid-js/mermaid/pull/7632) [`3f9e0f1`](3f9e0f15be) Thanks [@​ekiauhce](https://redirect.github.com/ekiauhce)! - fix(sequence): correct messageAlign label position for right-to-left arrows in sequence diagrams - [#​7642](https://redirect.github.com/mermaid-js/mermaid/pull/7642) [`7a8fb85`](7a8fb8532c) Thanks [@​tractorjuice](https://redirect.github.com/tractorjuice)! - fix(wardley): allow hyphens in unquoted component names Multi-word names containing hyphens — e.g. `real-time processing`, `end-user`, `on-call engineer` — now parse without quoting, bringing the grammar in line with the OnlineWardleyMaps (OWM) convention. `A->B` (no-space arrow) still tokenises correctly. - [#​7523](https://redirect.github.com/mermaid-js/mermaid/pull/7523) [`5144ed4`](5144ed4b13) Thanks [@​darshanr0107](https://redirect.github.com/darshanr0107)! - fix(block): Arrow blocks in block-beta diagrams not spanning the specified number of columns when using `:n` syntax. - [#​7262](https://redirect.github.com/mermaid-js/mermaid/pull/7262) [`13d9bfa`](13d9bfa474) Thanks [@​darshanr0107](https://redirect.github.com/darshanr0107)! - fix(block): Ensure block diagram hexagon blocks respect column spanning syntax - [#​7684](https://redirect.github.com/mermaid-js/mermaid/pull/7684) [`e14bb88`](e14bb88bdb) Thanks [@​aloisklink](https://redirect.github.com/aloisklink)! - fix: loosen `uuid` dependency range to allow v14 Mermaid does not use any of the vulnerable code in CVE-2026-41907, but this allows users to silence any `npm audit` alerts on it. - [#​7633](https://redirect.github.com/mermaid-js/mermaid/pull/7633) [`9217c0d`](9217c0d8b2) Thanks [@​Felix-Garci](https://redirect.github.com/Felix-Garci)! - fix(block): add support for all arrow types in block diagrams - [#​7587](https://redirect.github.com/mermaid-js/mermaid/pull/7587) [`5e7eb62`](5e7eb62e3a) Thanks [@​MaddyGuthridge](https://redirect.github.com/MaddyGuthridge)! - chore: drop lodash-es in favour of es-toolkit - [#​7693](https://redirect.github.com/mermaid-js/mermaid/pull/7693) [`afaf306`](afaf306238) Thanks [@​dull-bird](https://redirect.github.com/dull-bird)! - fix(quadrant-chart): allow CJK, emoji, Latin-1 accented characters, and other non-ASCII text in unquoted axis/quadrant/point labels. Previously the lexer only matched ASCII `[A-Za-z]+` for text tokens, even though the grammar referenced `UNICODE_TEXT`. Bare Chinese, Japanese, Korean, emoji, and accented Latin characters in labels caused a parse error. Added a `[^\x00-\x7F]+` lexer rule to emit `UNICODE_TEXT` and included it in the `alphaNumToken` grammar rule. Fixes [#​7120](https://redirect.github.com/mermaid-js/mermaid/issues/7120). - [#​7737](https://redirect.github.com/mermaid-js/mermaid/pull/7737) [`4755553`](4755553d5f) Thanks [@​ashishjain0512](https://redirect.github.com/ashishjain0512)! - fix: improve D3 types for mermaidAPI funcs - [#​7737](https://redirect.github.com/mermaid-js/mermaid/pull/7737) [`6476973`](64769738d5) Thanks [@​ashishjain0512](https://redirect.github.com/ashishjain0512)! - fix: handle `&` when namespacing CSS rules - [#​7520](https://redirect.github.com/mermaid-js/mermaid/pull/7520) [`8c1a0c1`](8c1a0c1fd1) Thanks [@​RodrigojndSantos](https://redirect.github.com/RodrigojndSantos)! - fix(stateDiagram): comments starting with one `%` are no longer treated as comments Switch to using two `%%` if you want to write a comment. - Updated dependencies \[[`7a8fb85`](7a8fb8532c), [`675a64c`](675a64ca0e)]: - [@​mermaid-js/parser](https://redirect.github.com/mermaid-js/parser)@​1.1.1 </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - "" - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> --------- Co-authored-by: silverwind <me@silverwind.io> Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com>
Gitea
Purpose
The goal of this project is to make the easiest, fastest, and most painless way of setting up a self-hosted Git service.
As Gitea is written in Go, it works across all the platforms and architectures that are supported by Go, including Linux, macOS, and Windows on x86, amd64, ARM and PowerPC architectures. This project has been forked from Gogs since November of 2016, but a lot has changed.
For online demonstrations, you can visit demo.gitea.com.
For accessing free Gitea service (with a limited number of repositories), you can visit gitea.com.
To quickly deploy your own dedicated Gitea instance on Gitea Cloud, you can start a free trial at cloud.gitea.com.
Documentation
You can find comprehensive documentation on our official documentation website.
It includes installation, administration, usage, development, contributing guides, and more to help you get started and explore all features effectively.
If you have any suggestions or would like to contribute to it, you can visit the documentation repository
Building
From the root of the source tree, run:
TAGS="bindata" make build
The build target is split into two sub-targets:
make backendwhich requires Go Stable, the required version is defined in go.mod.make frontendwhich requires Node.js LTS or greater and pnpm.
Internet connectivity is required to download the go and npm modules. When building from the official source tarballs which include pre-built frontend files, the frontend target will not be triggered, making it possible to build without Node.js.
More info: https://docs.gitea.com/installation/install-from-source
Using
After building, a binary file named gitea will be generated in the root of the source tree by default. To run it, use:
./gitea web
Note
If you're interested in using our APIs, we have experimental support with documentation.
Contributing
Expected workflow is: Fork -> Patch -> Push -> Pull Request
Note
- YOU MUST READ THE CONTRIBUTORS GUIDE BEFORE STARTING TO WORK ON A PULL REQUEST.
- If you have found a vulnerability in the project, please write privately to security@gitea.io. Thanks!
Translating
Translations are done through Crowdin. If you want to translate to a new language, ask one of the managers in the Crowdin project to add a new language there.
You can also just create an issue for adding a language or ask on Discord on the #translation channel. If you need context or find some translation issues, you can leave a comment on the string or ask on Discord. For general translation questions there is a section in the docs. Currently a bit empty, but we hope to fill it as questions pop up.
Get more information from documentation.
Official and Third-Party Projects
We provide an official go-sdk, a CLI tool called tea and an action runner for Gitea Action.
We maintain a list of Gitea-related projects at gitea/awesome-gitea, where you can discover more third-party projects, including SDKs, plugins, themes, and more.
Communication
If you have questions that are not covered by the documentation, you can get in contact with us on our Discord server or create a post in the discourse forum.
Authors
Backers
Thank you to all our backers! 🙏 [Become a backer]
Sponsors
Support this project by becoming a sponsor. Your logo will show up here with a link to your website. [Become a sponsor]
FAQ
How do you pronounce Gitea?
Gitea is pronounced /ɡɪ’ti:/ as in "gi-tea" with a hard g.
Why is this not hosted on a Gitea instance?
We're working on it.
Where can I find the security patches?
In the release log or the change log, search for the keyword SECURITY to find the security patches.
License
This project is licensed under the MIT License. See the LICENSE file for the full license text.
Further information
Looking for an overview of the interface? Check it out!
Login/Register Page
User Dashboard
User Profile
Explore
Repository
Repository Issue
Repository Pull Requests
Repository Actions
Repository Activity
Organization
