CVE-2022-36036 is a code injection vulnerability classified under CWE-94 (Improper Control of Generation of Code) affecting the sjwall mdx-mermaid package. mdx-mermaid is a tool that integrates Mermaid diagrams into MDX (Markdown with JSX) environments, allowing users to embed and render Mermaid code blocks within MDX content. The vulnerability exists in versions prior to 1.3.0 and specifically in version 2.0.0-rc1. It allows an attacker to inject arbitrary JavaScript code by modifying Mermaid code blocks. When the vulnerable mdx-mermaid component loads these maliciously crafted Mermaid blocks, the injected JavaScript executes in the context of the MDXjs environment. This can lead to unauthorized code execution within applications that render MDX content using the affected versions of mdx-mermaid. The vulnerability was patched in versions 1.3.0 and 2.0.0-rc2. No known workarounds exist, and no exploits have been reported in the wild to date. The root cause is insufficient sanitization or validation of Mermaid code blocks before rendering, allowing arbitrary script injection. This vulnerability primarily impacts applications that dynamically render user-supplied or untrusted Mermaid diagrams via mdx-mermaid, potentially exposing them to cross-site scripting (XSS) or broader code execution risks depending on the application context.

For European organizations, the impact of this vulnerability depends on their use of mdx-mermaid in web applications, documentation portals, or developer tools that render MDX content with Mermaid diagrams. Exploitation could lead to arbitrary JavaScript execution, resulting in data theft, session hijacking, or unauthorized actions within the affected application. This poses confidentiality and integrity risks, especially for organizations handling sensitive or proprietary information. Availability impact is limited but could occur if injected code disrupts application functionality. Since mdx-mermaid is often used in developer documentation or internal tools, exploitation could facilitate lateral movement or privilege escalation within corporate networks. The medium severity rating reflects the need for attacker control over Mermaid code blocks, which may require some level of access or user interaction to inject malicious content. However, the lack of authentication requirements for rendering MDX content in some deployments could increase exposure. European organizations relying on open-source documentation frameworks or developer portals integrating mdx-mermaid should prioritize remediation to prevent potential exploitation.

1. Upgrade mdx-mermaid to version 1.3.0 or later, or 2.0.0-rc2 or later, as these versions contain the patch for this vulnerability. 2. Audit all applications and documentation sites using mdx-mermaid to identify affected versions. 3. Implement strict input validation and sanitization on Mermaid code blocks before rendering, especially if user-generated content is accepted. 4. Restrict the ability to modify Mermaid code blocks to trusted users only, minimizing the risk of malicious injection. 5. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in web applications rendering MDX content. 6. Monitor logs and application behavior for unusual script execution or anomalies related to Mermaid rendering. 7. Educate developers and content creators about the risks of embedding untrusted Mermaid code and enforce secure content creation policies. 8. Consider isolating MDX rendering environments or sandboxing to contain potential code execution impacts.