Description
Malicious diagrams can contain javascript code that can be run at diagram readers machines.
Recommendation
Update the mermaid package to the latest compatible version. Followings are version details:
- Affected version(s): < 8.13.8
- Patched version(s): 8.13.8
References
Related Issues
- Astro's bypass of image proxy domain validation leads to SSRF and potential XSS - CVE-2025-59837
- XSS in the `altField` option of the Datepicker widget in jquery-ui - CVE-2021-41182
- Webpack's AutoPublicPathRuntimeModule has a DOM Clobbering Gadget that leads to XSS - CVE-2024-43788
- Vega XSS via expression abusing vlSelectionTuples function array map calls in environments with satisfactory function ga - CVE-2025-65110
You might also like:
- Tags:
- npm
- mermaid
Anything's wrong? Let us know Last updated on February 03, 2023


