Blog

News from the bpmn.io project

Updated Modeling Toolkits Fix HTML Injection Vulnerabilities

Published by Nico Rehwaldt on Thursday, 13 June 2019.

bpmn-js3.4.2 bpmn-js2.5.3 cmmn-js0.18.1 dmn-js6.3.3 diagram-js3.3.1 diagram-js2.6.2

Patched versions of our BPMN, CMMN and DMN editors address two HTML injection / cross-site scripting vulnerabilities. We recommend users to upgrade.

Two issues in lower level components of our toolkits have been reported by the community:

These issues affect all editors for BPMN, CMMN and DMN. They allow an attacher to execute arbitary JavaScript in the context of a website embedding our modelers if the victim is lured into pasting a crafted piece of HTML. Our viewer distributions are not affected by this issue.

Patched Versions

The following library releases fix the issues:

  • bpmn-js@3.4.2
  • bpmn-js@2.5.3
  • cmmn-js@0.18.1
  • dmn-js@6.3.3
  • diagram-js@3.3.1
  • diagram-js@2.6.2

Credits

Thanks to naoey for reporting the initial bug.

We're hiring! Are you passionate about JavaScript, modeling and the web? Join our team and build modeling tools people heart.