Description
Versions of mermaid prior to 8.2.3 are vulnerable to Cross-Site Scripting. If malicious input such as A["<img src=invalid onerror=alert('XSS')></img>"] is provided to the application, it will execute the code instead of rendering it as text due to improper output encoding.
Recommendation
Update the mermaid package to the latest compatible version. Followings are version details:
- Affected version(s): < 8.2.3
- Patched version(s): 8.2.3
References
Related Issues
- Mermaid improperly sanitizes sequence diagram labels leading to XSS - CVE-2025-54881
- Prototype Pollution in lodash (GHSA-p6mc-m468-83gw) 5 - CVE-2020-8203
- Prototype Pollution in lodash (GHSA-p6mc-m468-83gw) 4 - CVE-2020-8203
- Prototype Pollution in lodash (GHSA-p6mc-m468-83gw) 3 - CVE-2020-8203
- Tags:
- npm
- mermaid
Anything's wrong? Let us know Last updated on January 09, 2023