CVE-2022-36036 LOW

CVE-2022-36036: Improper Control of Generation of Code ('Code Injection') in mdx-mermaid

Vendor Sjwall
Product mdx-mermaid
Weakness CWE-94 · Code injection
Published August 29, 2022
Last update April 22, 2025

CVSS base score

3.6/10
Attack vector Local
Attack complexity High
Privileges required Low
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

mdx-mermaid provides plug and play access to Mermaid in MDX. There is a potential for an arbitrary javascript injection in versions less than 1.3.0 and 2.0.0-rc1. Modify any mermaid code blocks with arbitrary code and it will execute when the component is loaded by MDXjs. This vulnerability was patched in version(s) 1.3.0 and 2.0.0-rc2. There are currently no known workarounds.

Key dates

02Disclosure timeline

August 29, 2022 CVE published
April 22, 2025 Record updated