Description
Mermaid before 8.11.0 allows XSS when the antiscript feature is used.
Recommendation
Update the mermaid package to the latest compatible version. Followings are version details:
- Affected version(s): < 8.11.0
- Patched version(s): 8.11.0
References
Related Issues
- Mermaid improperly sanitizes sequence diagram labels leading to XSS - CVE-2025-54881
- Prototype pollution vulnerability found in Mermaid's bundled version of DOMPurify - Vulnerability
- Command Injection Vulnerability - CVE-2021-21315
- Prototype Pollution in vConsole - CVE-2023-30363
- Tags:
- npm
- mermaid
Anything's wrong? Let us know Last updated on February 01, 2023