CamundaCon 2026 | The Agentic Orchestration Conference | May 19-21 | The world's orchestration community, together in Amsterdam.

Register today
Blog

News from the bpmn.io project

Updated Modeling Toolkits Fix HTML Injection Vulnerabilities

Published by Nico Rehwaldt on Thursday, 13 June 2019.

bpmn-js3.4.2 bpmn-js2.5.3 cmmn-js0.18.1 dmn-js6.3.3 diagram-js3.3.1 diagram-js2.6.2

Patched versions of our BPMN, CMMN and DMN editors address two HTML injection / cross-site scripting vulnerabilities. We recommend users to upgrade.

Two issues in lower level components of our toolkits have been reported by the community:

These issues affect all editors for BPMN, CMMN and DMN. They allow an attacher to execute arbitary JavaScript in the context of a website embedding our modelers if the victim is lured into pasting a crafted piece of HTML. Our viewer distributions are not affected by this issue.

Patched Versions

The following library releases fix the issues:

  • bpmn-js@3.4.2
  • bpmn-js@2.5.3
  • cmmn-js@0.18.1
  • dmn-js@6.3.3
  • diagram-js@3.3.1
  • diagram-js@2.6.2

Credits

Thanks to naoey for reporting the initial bug.

Are you passionate about JavaScript, modeling, and the web?
Join Camunda and build modeling tools people heart.

Back to blog.