CVE-2025-54881 — Cross-site Scripting in Project Mermaid

CWE-79 — Cross-site Scripting5 documents4 sources

Severity

5.3MEDIUMNVD

EPSS

0.0%

top 96.72%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mermaid Project Mermaid Mermaid-js Mermaid Debian Node-mermaid

Timeline

PublishedAug 19

Description

Mermaid is a JavaScript based diagramming and charting tool that uses Markdown-inspired text definitions and a renderer to create and modify complex diagrams. In the default configuration of mermaid 10.9.0-rc.1 to 11.9.0, user supplied input for sequence diagram labels is passed to innerHTML during calculation of element size, causing XSS.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Affected Packages3 packages

▶npmmermaid_project/mermaid11.0.0-alpha.1 — 11.10.0+1

▶CVEListV5mermaid-js/mermaid>= 10.9.0-rc.1, <= 11.9.0

▶debiandebian/node-mermaid

🔴Vulnerability Details

OSV

CVE-2025-54881: Mermaid is a JavaScript based diagramming and charting tool that uses Markdown-inspired text definitions and a renderer to create and modify complex d↗2025-08-19

▶

OSV

Mermaid improperly sanitizes sequence diagram labels leading to XSS↗2025-08-19

▶

GHSA

Mermaid improperly sanitizes sequence diagram labels leading to XSS↗2025-08-19

▶

📋Vendor Advisories

Debian

CVE-2025-54881: node-mermaid - Mermaid is a JavaScript based diagramming and charting tool that uses Markdown-i...↗2025

▶