Nixpkgs security tracker

Login with GitHub

Suggestions search

Untriaged

Filter by:

With package: drawio-headless

Found 1 matching suggestions

View:

Compact

Detailed

Permalink CVE-2026-42195

3.4 LOW

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): High (H)
Privileges Required (PR): None (N)
User Interaction (UI): Required (R)
Scope (S): Changed (C)
Confidentiality (C): Low (L)
Integrity (I): None (N)
Availability (A): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): High (H)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): Required (R)
Modified Confidentiality (MC): Low (L)
Modified Scope (MS): Changed (C)
Modified Integrity (MI): None (N)
Modified Availability (MA): None (N)

created 2 weeks, 2 days ago Activity log

Created suggestion 2 weeks, 2 days ago

Unvalidated gitlab URL parameter redirects OAuth authorize step to attacker-controlled host

draw.io is a configurable diagramming and whiteboarding application. Prior to version 29.7.9, the draw.io client accepts a ?gitlab= URL parameter that overrides the GitLab server URL used during OAuth sign-in. A crafted link causes the user's click on draw.io's "Authorize in GitLab" dialog to open a popup on the attacker-controlled host instead of gitlab.com. This can lead to credential fishing and session state token exfiltration. This issue has been patched in version 29.7.9.

References

https://github.com/jgraph/drawio/security/advisories/GHSA-8x7j-m8px-7p8x x_refsource_CONFIRM
https://github.com/jgraph/drawio/issues/493 x_refsource_MISC
https://github.com/jgraph/drawio/releases/tag/v29.7.9 x_refsource_MISC

Affected products

drawio

==< 29.7.9

Matching in nixpkgs

pkgs.drawio

Desktop version of draw.io for creating diagrams

nixos-unstable 29.7.9
- nixpkgs-unstable 29.7.9
- nixos-unstable-small 29.7.9
nixos-25.11 29.0.3
- nixos-25.11-small 29.0.3
- nixpkgs-25.11-darwin 29.0.3

pkgs.drawio-headless

xvfb wrapper around drawio

nixos-unstable 29.7.9
- nixpkgs-unstable 29.7.9
- nixos-unstable-small 29.7.9
nixos-25.11 29.0.3
- nixos-25.11-small 29.0.3
- nixpkgs-25.11-darwin 29.0.3

pkgs.pandoc-drawio-filter

Pandoc filter which converts draw.io diagrams to PDF

nixos-unstable 1.1
- nixpkgs-unstable 1.1
- nixos-unstable-small 1.1
nixos-25.11 1.1
- nixos-25.11-small 1.1
- nixpkgs-25.11-darwin 1.1

pkgs.python312Packages.mkdocs-drawio-file

Embedding files of Diagrams.net (Draw.io) into MkDocs

nixos-25.11 1.5.2
- nixos-25.11-small 1.5.2
- nixpkgs-25.11-darwin 1.5.2

pkgs.python313Packages.mkdocs-drawio-file

Embedding files of Diagrams.net (Draw.io) into MkDocs

nixos-unstable 1.5.2
- nixpkgs-unstable 1.5.2
- nixos-unstable-small 1.5.2
nixos-25.11 1.5.2
- nixos-25.11-small 1.5.2
- nixpkgs-25.11-darwin 1.5.2

pkgs.python314Packages.mkdocs-drawio-file

Embedding files of Diagrams.net (Draw.io) into MkDocs

nixos-unstable 1.5.2
- nixpkgs-unstable 1.5.2
- nixos-unstable-small 1.5.2

pkgs.vscode-extensions.hediet.vscode-drawio

This unofficial extension integrates Draw.io into VS Code

nixos-unstable 1.9.0
- nixpkgs-unstable 1.9.0
- nixos-unstable-small 1.9.0
nixos-25.11 1.9.0
- nixos-25.11-small 1.9.0
- nixpkgs-25.11-darwin 1.9.0

pkgs.python312Packages.mkdocs-drawio-exporter

Module for exporting Draw.io diagrams

nixos-25.11 0.10.2
- nixos-25.11-small 0.10.2
- nixpkgs-25.11-darwin 0.10.2

pkgs.python313Packages.mkdocs-drawio-exporter

Module for exporting Draw.io diagrams

nixos-unstable 0.10.2
- nixpkgs-unstable 0.10.2
- nixos-unstable-small 0.10.2
nixos-25.11 0.10.2
- nixos-25.11-small 0.10.2
- nixpkgs-25.11-darwin 0.10.2

pkgs.python314Packages.mkdocs-drawio-exporter

Module for exporting Draw.io diagrams

nixos-unstable 0.10.2
- nixpkgs-unstable 0.10.2
- nixos-unstable-small 0.10.2

Package maintainers

@DarkOnion0 Alexandre Peruggia <darkgenius1@protonmail.com>
@tfc Jacek Galowicz <jacek@galowicz.de>
@snpschaaf Philippe Schaaf <philipe.schaaf@secunet.com>
@TheMaxMur Maxim Muravev <muravjev.mak@yandex.ru>

1