Description
Mermaid v11.14.0 and earlier are vulnerable to a denial-of-service attack when rendering gantt charts, if they use the excludes attribute to exclude all dates.
Recommendation
Update the mermaid package to the latest compatible version. Followings are version details:
Affected version(s): **<= 10.9.5 >= 11.0.0-alpha.1, <= 11.14.0** Patched version(s): **10.9.6 11.15.0**
References
Related Issues
- jsrsasign is vulnerable to DoS through Infinite Loop when processing zero or negative inputs - CVE-2026-4598
- music-metadata has an infinite loop vulnerability in ASF parser - CVE-2026-32256
- Marked Vulnerable to OOM Denial of Service via Infinite Recursion in marked Tokenizer - CVE-2026-41680
- bn.js affected by an infinite loop - CVE-2026-2739
You might also like:
- Tags:
- npm
- mermaid
Anything's wrong? Let us know Last updated on May 11, 2026