Nixpkgs security tracker
5.3 MEDIUM
- CVSS version (CVSS): 4.0
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Attack Requirement (AT): None (N)
- Privileges Required (PR): None (N)
- User Interaction (UI): Passive (P)
- Vulnerable System Impact Confidentiality (VC): None (N)
- Vulnerable System Impact Integrity (VI): None (N)
- Vulnerable System Impact Availability (VA): Low (L)
- Subsequent System Impact Confidentiality (SC): None (N)
- Subsequent System Impact Integrity (SI): None (N)
- Subsequent System Impact Availability (SA): Low (L)
- Modified Attack Vector (MAV): Network (N)
- Modified Attack Complexity (MAC): Low (L)
- Modified Attack Requirement (MAT): None (N)
- Modified Privileges Required (MPR): None (N)
- Modified User Interaction (MUI): Passive (P)
- Modified Vulnerable System Impact Confidentiality (MVC): None (N)
- Modified Vulnerable System Impact Integrity (MVI): None (N)
- Modified Vulnerable System Impact Availability (MVA): Low (L)
- Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
- Modified Subsequent System Impact Integrity (MSI): Negligible (N)
- Modified Subsequent System Impact Availability (MSA): Low (L)
- Safety (S): Not Defined (X)
- Automatable (AU): Not Defined (X)
- Recovery (R): Not Defined (X)
- Value Density (V): Not Defined (X)
- Vulnerability Response Effort (RE): Not Defined (X)
- Provider Urgency (U): Not Defined (X)
- Confidentiality Req. (CR): Not Defined (X)
- Integrity Req. (IR): Not Defined (X)
- Availability Req. (AR): Not Defined (X)
- Exploit Maturity (E): Not Defined (X)
Activity log
- Created suggestion
Mermaid Gantt Charts are vulnerable to an Infinite Loop DoS
Mermaid is a JavaScript tool that uses Markdown-inspired text to create and modify diagrams and charts. Prior to 10.9.6 and 11.15.0, there is a denial-of-service attack when rendering gantt charts, if they use the excludes attribute to exclude all dates. mermaid.parse is unaffected, unless you then call the ganttDb.getTasks() (which is called when rendering a diagram). This vulnerability is fixed in 10.9.6 and 11.15.0.
References
-
https://github.com/mermaid-js/mermaid/security/advisories/GHSA-6m6c-36f7-fhxh exploitx_refsource_CONFIRM
-
https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0 x_refsource_MISC
-
https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6 x_refsource_MISC
Affected products
- ==< 10.9.6
- ==>= 11.0.0-alpha.1, < 11.15.0
Matching in nixpkgs
pkgs.mermaid-cli
Generation of diagrams from text in a similar manner as markdown
pkgs.mdbook-mermaid
Preprocessor for mdbook to add mermaid.js support
pkgs.mermaid-filter
Pandoc filter for creating diagrams in mermaid syntax blocks in markdown docs
pkgs.python312Packages.sphinxcontrib-mermaid
Mermaid diagrams in yours sphinx powered docs
pkgs.python313Packages.sphinxcontrib-mermaid
Mermaid diagrams in yours sphinx powered docs
pkgs.python314Packages.sphinxcontrib-mermaid
Mermaid diagrams in yours sphinx powered docs
pkgs.python312Packages.mkdocs-mermaid2-plugin
MkDocs plugin for including mermaid graphs in markdown sources
-
nixos-25.11 mermaid2-plugin-1.2.3
- nixos-25.11-small mermaid2-plugin-1.2.3
- nixpkgs-25.11-darwin mermaid2-plugin-1.2.3
pkgs.python313Packages.mkdocs-mermaid2-plugin
MkDocs plugin for including mermaid graphs in markdown sources
-
nixos-unstable mermaid2-plugin-1.2.3
- nixpkgs-unstable mermaid2-plugin-1.2.3
- nixos-unstable-small mermaid2-plugin-1.2.3
-
nixos-25.11 mermaid2-plugin-1.2.3
- nixos-25.11-small mermaid2-plugin-1.2.3
- nixpkgs-25.11-darwin mermaid2-plugin-1.2.3
pkgs.python314Packages.mkdocs-mermaid2-plugin
MkDocs plugin for including mermaid graphs in markdown sources
-
nixos-unstable mermaid2-plugin-1.2.3
- nixpkgs-unstable mermaid2-plugin-1.2.3
- nixos-unstable-small mermaid2-plugin-1.2.3
pkgs.tree-sitter-grammars.tree-sitter-mermaid
Tree-sitter grammar for mermaid
-
nixos-unstable 0-unstable-2024-04-22
- nixpkgs-unstable 0-unstable-2024-04-22
- nixos-unstable-small 0-unstable-2024-04-22
-
nixos-unstable 0.0.0+rev=90ae195
- nixpkgs-unstable 0.0.0+rev=90ae195
- nixos-unstable-small 0.0.0+rev=90ae195
pkgs.vscode-extensions.bierner.markdown-mermaid
Adds Mermaid diagram and flowchart support to VS Code's builtin markdown preview
pkgs.python313Packages.tree-sitter-grammars.tree-sitter-mermaid
Python bindings for tree-sitter-mermaid
-
nixos-unstable 0+unstable20240422
- nixpkgs-unstable 0+unstable20240422
- nixos-unstable-small 0+unstable20240422
pkgs.python314Packages.tree-sitter-grammars.tree-sitter-mermaid
Python bindings for tree-sitter-mermaid
-
nixos-unstable 0+unstable20240422
- nixpkgs-unstable 0+unstable20240422
- nixos-unstable-small 0+unstable20240422
Package maintainers
-
@xrelkd xrelkd
-
@matthiasbeyer Matthias Beyer <mail@beyermatthias.de>
-
@ysndr Yannik Sander <me@ysndr.de>
-
@ners ners <ners@gmx.ch>
-
@mightyiam Shahar "Dawn" Or <mightyiampresence@gmail.com>
-
@A-jay98 Ali Jamadi <ali@jamadi.me>
-
@stepbrobd Yifei Sun <ysun@hey.com>
-
@adfaure Adrien Faure <adfaure@pm.me>
-
@aciceri Andrea Ciceri <andrea.ciceri@autistici.org>