Excalidraw vulnerable to XSS via Mermaid sequence diagram labels (KaTeX rendering)

Description

@excalidraw/[email protected] depends on a Mermaid conversion package version that resolves to a Mermaid release affected by CVE-2025-54881 / GHSA-7rqq-prvp-x9jh. User-supplied Mermaid sequence diagram labels could trigger XSS through Mermaid’s KaTeX label rendering path.

This is patched in @excalidraw/[email protected] by updating @excalidraw/mermaid-to-excalidraw to 2.2.2, which uses a patched Mermaid 11 release.

Recommendation

Update the @excalidraw/excalidraw package to the latest compatible version. Followings are version details:

• Affected version(s): = 0.18.0
• Patched version(s): 0.18.1

References

• GHSA-39h7-pwv7-rc3x
• CWE-1395
• CWE-79
• OWASP 2021-A3

Related Issues

• @tdurieux/anonymous_github Vulnerable to XSS via Unsanitized GitHub Repository Content Rendering in Anonymous GitHub Ori - Vulnerability
• Mermaid improperly sanitizes sequence diagram labels leading to XSS - CVE-2025-54881
• DOMPurify is vulnerable to mutation-XSS via Re-Contextualization - Vulnerability
• Redwood is vulnerable to account takeover via dbAuth "forgot-password - Vulnerability

You might also like:

How to Secure your NodeJs Express Javascript Application - part 1

These 7 PHP mistakes leave your website open to the hackers

How do hackers hack websites?

Tags:

npm

@excalidraw/excalidraw