Описание
Gogs vulnerable to Stored XSS via Mermaid diagrams
Summary
Stored XSS via mermaid diagrams due to usage of vulnerable renderer library
Details
Gogs introduced support for rendering mermaid diagrams in version 0.13.0.
Currently used version of the library mermaid 11.9.0 is vulnerable to at least two XSS scenarios with publicly available payloads
Resources: https://github.com/mermaid-js/mermaid/security/advisories/GHSA-7rqq-prvp-x9jh https://github.com/mermaid-js/mermaid/security/advisories/GHSA-8gwm-58g9-j8pw
PoC
- Create a markdown file eg.
README.mdcontaining following malicious mermaid diagram (payload based on CVE-2025-54880)
- The XSS should pop whenever either repository or file is viewed
Demo
https://github.com/user-attachments/assets/98320f62-6c1c-4254-aa61-95598c725235
Impact
The attacker can potentially achieve account takeover In a worst case scenario if the victim were an instance admin this could lead to a compromise of the entire deployment
Proposed remediation steps
- Upgrade to a patched version of the third party library https://github.com/mermaid-js/mermaid/releases/tag/v10.9.5
- Consider running mermaid using
sandboxlevel which would mitigate impact of future potential cross-site scripting issues https://mermaid.js.org/config/usage.html#securitylevel
Ссылки
Пакеты
gogs.io/gogs
<= 0.13.3
0.13.4
7.3 High
CVSS3
Дефекты
7.3 High
CVSS3