CVE-2025-54880 — Cross-site Scripting in Project Mermaid

CWE-79 — Cross-site Scripting CWE-1395 — Dependency on Vulnerable Third-Party Component7 documents4 sources

Severity

5.1MEDIUMNVD

EPSS

0.0%

top 99.25%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gogs.io Gogs Mermaid Project Mermaid Mermaid-js Mermaid +1 more

Timeline

PublishedAug 19

Latest updateFeb 6

Description

Mermaid is a JavaScript based diagramming and charting tool that uses Markdown-inspired text definitions and a renderer to create and modify complex diagrams. In the default configuration of mermaid 11.9.0 and earlier, user supplied input for architecture diagram icons is passed to the d3 html() method, creating a sink for cross site scripting. This vulnerability is fixed in 11.10.0.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Affected Packages5 packages

▶NVDmermaid_project/mermaid11.1.0 — 11.10.0

▶npmmermaid_project/mermaid11.1.0 — 11.10.0

▶CVEListV5mermaid-js/mermaid>= 11.1.0, < 11.10.0

▶debiandebian/node-mermaid

▶Gogogs.io/gogs< 0.13.4

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Gogs vulnerable to Stored XSS via Mermaid diagrams↗2026-02-06

▶

GHSA

Gogs vulnerable to Stored XSS via Mermaid diagrams↗2026-02-06

▶

OSV

CVE-2025-54880: Mermaid is a JavaScript based diagramming and charting tool that uses Markdown-inspired text definitions and a renderer to create and modify complex d↗2025-08-19

▶

GHSA

Mermaid does not properly sanitize architecture diagram iconText leading to XSS↗2025-08-19

▶

OSV

Mermaid does not properly sanitize architecture diagram iconText leading to XSS↗2025-08-19

▶

📋Vendor Advisories

Debian

CVE-2025-54880: node-mermaid - Mermaid is a JavaScript based diagramming and charting tool that uses Markdown-i...↗2025

▶