Dive Stored Cross-Site Scripting Vulnerability Leading to Remote Code Execution
Vulnerability
A critical stored cross-site scripting vulnerability has been identified in the Dive application, specifically in versions prior to 0.11.1. The issue arises in the Mermaid diagram rendering component, where the application improperly configures the Mermaid library to allow the execution of arbitrary JavaScript via 'javascript:' URLs. This vulnerability can be exploited by injecting a malicious Model Context Protocol (MCP) server configuration, which, when activated, executes remote code on the victim's machine.
Impact
Exploitation of this vulnerability allows for remote code execution on the victim's machine.
Reproduction
To reproduce this vulnerability, create a Mermaid diagram with a node that includes a 'javascript:' URL payload. This payload should be crafted to inject a malicious MCP server configuration using the application's internal API proxy. Once the diagram is rendered, clicking the node will trigger the execution of the injected JavaScript, overwriting the MCP server configuration with a command that is executed by the backend service.
Remediation
Users can update to Dive version 0.11.1 or later, where this vulnerability has been patched.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.