Mermaid Denial-of-Service Vulnerability in Gantt Chart Rendering

A denial-of-service vulnerability has been identified in Mermaid versions prior to 10.9.6 and 11.15.0. The issue arises when Gantt charts use the 'excludes' attribute to omit all dates, leading to an infinite loop during rendering. While 'mermaid.parse' is not affected, calling 'ganttDb.getTasks()'' after parsing can trigger the issue. This vulnerability is present in Mermaid versions 11.0.0-alpha.1 through 11.14.0 and 10.9.5 and prior.

Impact

Excluding all dates in Gantt charts can cause an infinite loop, disrupting the rendering process and potentially leading to a denial-of-service condition.

Reproduction

To reproduce this vulnerability, create a Gantt chart in Mermaid and use the 'excludes' attribute to exclude all days of the week. When the chart is rendered, it will enter an infinite loop, causing a denial-of-service condition.

Remediation

Users can update to Mermaid version 10.9.6 or 11.15.0, both of which include the necessary fix. Instructions for downloading these versions are available on the Mermaid GitHub Releases page.