XSS with CSP bypass on WEB instances in jgraph/drawio


Reported on

Sep 5th 2022

📝 Description

Drawio WEB instancesn allows https://storage.googleapis.com in CSP script-src, abusing the XSS found in this report, it is possible to bypass the CSP and leak private diagram content.

🕵️‍♂️ Proof of Concept

On the web application side, the javascript execution is protected by the following CSP:

script-src https://www.dropbox.com https://api.trello.com 'self' https://viewer.diagrams.net https://storage.googleapis.com https://apis.google.com https://*.pusher.com 'sha256-AVuOIxynOo/05KDLjyp0AoBE+Gt/KE1/vh2pS+yfqes=' 'sha256-r/ILW7KMSJxeo9EYqCTzZyCT0PZ9gHN1BLgki7vpR+A=' 'sha256-5DtSB5mj34lxcEf+HFWbBLEF49xxJaKnWGDWa/utwQA=' 'sha256-vS/MxlVD7nbY7AnV+0t1Ap338uF7vrcs7y23KjERhKc='

Because it allows you to load script from https://storage.googleapis.com which is the public URL for Google Cloud Bucket, it is possible to use it to execute our code.

  "plugins": [



An attacker could use it to access any user's confidential content.

We are processing your report and will contact the jgraph/drawio team within 24 hours. a year ago
David Benson validated this vulnerability a year ago
kevin-mizu has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
David Benson marked this as fixed in 20.2.8 with commit 59887e a year ago
The fix bounty has been dropped
David Benson
a year ago


Thanks for report, entry has been removed from CSP.

to join this conversation