CVE-2025-54880
published 2025-08-19CVE-2025-54880: Mermaid is a JavaScript based diagramming and charting tool that uses Markdown-inspired text definitions and a renderer to create and modify complex diagrams…
PriorityP428medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.34%
26.0th percentile
Mermaid is a JavaScript based diagramming and charting tool that uses Markdown-inspired text definitions and a renderer to create and modify complex diagrams. In the default configuration of mermaid 11.9.0 and earlier, user supplied input for architecture diagram icons is passed to the d3 html() method, creating a sink for cross site scripting. This vulnerability is fixed in 11.10.0.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | node-mermaid | — | — |
| gogs.io | gogs | >= 0 < 0.13.4 | 0.13.4 |
| mermaid-js | mermaid | — | — |
| mermaid_project | mermaid | >= 11.1.0 < 11.10.0 | 11.10.0 |
| mermaid_project | mermaid | >= 11.1.0 < 11.10.0 | 11.10.0 |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv4.05.1MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
ghsa5.1MEDIUM
osv5.1MEDIUM
vendor_debian5.1LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Gogs vulnerable to Stored XSS via Mermaid diagrams
osv·2026-02-06·CVSS 5.1
[MEDIUM] Gogs vulnerable to Stored XSS via Mermaid diagrams
Gogs vulnerable to Stored XSS via Mermaid diagrams
### Summary
Stored XSS via mermaid diagrams due to usage of vulnerable renderer library
### Details
Gogs introduced support for rendering mermaid diagrams in version [0.13.0.](https://github.com/gogs/gogs/releases/tag/v0.13.0)
Currently used version of the library [mermaid 11.9.0](https://github.com/gogs/gogs/tree/main/public/plugins/mermaid-11.9.0) is vulnerable to at least two XSS scenarios with publicly available payloads
Resources:
https://github.com/mermaid-js/mermaid/security/advisories/GHSA-7rqq-prvp-x9jh
https://github.com/mermaid-js/mermaid/security/advisories/GHSA-8gwm-58g9-j8pw
### PoC
1. Create a markdown file eg. `README.md` containing following malicious mermaid diagram (payload based on [CVE-2025-54880](https://github.
GHSA
Gogs vulnerable to Stored XSS via Mermaid diagrams
ghsa·2026-02-06·CVSS 5.1
[MEDIUM] CWE-1395 Gogs vulnerable to Stored XSS via Mermaid diagrams
Gogs vulnerable to Stored XSS via Mermaid diagrams
### Summary
Stored XSS via mermaid diagrams due to usage of vulnerable renderer library
### Details
Gogs introduced support for rendering mermaid diagrams in version [0.13.0.](https://github.com/gogs/gogs/releases/tag/v0.13.0)
Currently used version of the library [mermaid 11.9.0](https://github.com/gogs/gogs/tree/main/public/plugins/mermaid-11.9.0) is vulnerable to at least two XSS scenarios with publicly available payloads
Resources:
https://github.com/mermaid-js/mermaid/security/advisories/GHSA-7rqq-prvp-x9jh
https://github.com/mermaid-js/mermaid/security/advisories/GHSA-8gwm-58g9-j8pw
### PoC
1. Create a markdown file eg. `README.md` containing following malicious mermaid diagram (payload based on [CVE-2025-54880](https://github.
OSV
CVE-2025-54880: Mermaid is a JavaScript based diagramming and charting tool that uses Markdown-inspired text definitions and a renderer to create and modify complex d
osv·2025-08-19·CVSS 5.1
CVE-2025-54880 [MEDIUM] CVE-2025-54880: Mermaid is a JavaScript based diagramming and charting tool that uses Markdown-inspired text definitions and a renderer to create and modify complex d
Mermaid is a JavaScript based diagramming and charting tool that uses Markdown-inspired text definitions and a renderer to create and modify complex diagrams. In the default configuration of mermaid 11.9.0 and earlier, user supplied input for architecture diagram icons is passed to the d3 html() method, creating a sink for cross site scripting. This vulnerability is fixed in 11.10.0.
GHSA
Mermaid does not properly sanitize architecture diagram iconText leading to XSS
ghsa·2025-08-19
CVE-2025-54880 [MEDIUM] CWE-79 Mermaid does not properly sanitize architecture diagram iconText leading to XSS
Mermaid does not properly sanitize architecture diagram iconText leading to XSS
### Summary
In the default configuration of mermaid 11.9.0, user supplied input for architecture diagram icons is passed to the d3 `html()` method, creating a sink for cross site scripting.
### Details
Architecture diagram service `iconText` values are passed to the d3 `html()` method, allowing malicious users to inject arbitrary HTML and cause XSS when mermaid-js is used in it's default configuration.
The vulnerability lies here:
```ts
export const drawServices = async function (
db: ArchitectureDB,
elem: D3Element,
services: ArchitectureService[]
): Promise {
for (const service of services) {
/** ... **/
} else if (service.iconText) {
bkgElem.html(
`${await getIconSVG('blank', { height: iconSize, width: i
OSV
Mermaid does not properly sanitize architecture diagram iconText leading to XSS
osv·2025-08-19
CVE-2025-54880 [MEDIUM] Mermaid does not properly sanitize architecture diagram iconText leading to XSS
Mermaid does not properly sanitize architecture diagram iconText leading to XSS
### Summary
In the default configuration of mermaid 11.9.0, user supplied input for architecture diagram icons is passed to the d3 `html()` method, creating a sink for cross site scripting.
### Details
Architecture diagram service `iconText` values are passed to the d3 `html()` method, allowing malicious users to inject arbitrary HTML and cause XSS when mermaid-js is used in it's default configuration.
The vulnerability lies here:
```ts
export const drawServices = async function (
db: ArchitectureDB,
elem: D3Element,
services: ArchitectureService[]
): Promise {
for (const service of services) {
/** ... **/
} else if (service.iconText) {
bkgElem.html(
`${await getIconSVG('blank', { height: iconSize, width: i
Debian
CVE-2025-54880: node-mermaid - Mermaid is a JavaScript based diagramming and charting tool that uses Markdown-i...
vendor_debian·2025·CVSS 5.1
CVE-2025-54880 [MEDIUM] CVE-2025-54880: node-mermaid - Mermaid is a JavaScript based diagramming and charting tool that uses Markdown-i...
Mermaid is a JavaScript based diagramming and charting tool that uses Markdown-inspired text definitions and a renderer to create and modify complex diagrams. In the default configuration of mermaid 11.9.0 and earlier, user supplied input for architecture diagram icons is passed to the d3 html() method, creating a sink for cross site scripting. This vulnerability is fixed in 11.10.0.
Scope: local
bullseye: resolved
No detection rules found.
No public exploits indexed.
https://github.com/mermaid-js/mermaid/commit/2aa83302795183ea5c65caec3da1edd6cb4791fchttps://github.com/mermaid-js/mermaid/commit/734bde38777c9190a5a72e96421c83424442d4e4https://github.com/mermaid-js/mermaid/security/advisories/GHSA-8gwm-58g9-j8pwhttps://github.com/mermaid-js/mermaid/security/advisories/GHSA-8gwm-58g9-j8pw
2025-08-19
Published