Description
In the default configuration of mermaid 11.9.0, user supplied input for sequence diagram labels is passed to innerHTML during calculation of element size, causing XSS.
Recommendation
Update the mermaid package to the latest compatible version. Followings are version details:
Affected version(s): **>= 10.9.0-rc.1, < 10.9.4 >= 11.0.0-alpha.1, < 11.10.0** Patched version(s): **10.9.4 11.10.0**
References
Related Issues
- Mermaid does not properly sanitize architecture diagram iconText leading to XSS - CVE-2025-54880
- AngularJS improperly sanitizes SVG elements - CVE-2025-0716
- Astro's bypass of image proxy domain validation leads to SSRF and potential XSS - CVE-2025-59837
- Vega Cross-Site Scripting (XSS) via expressions abusing toString calls in environments using the VEGA_DEBUG global varia - CVE-2025-59840
- Tags:
- npm
- mermaid
Anything's wrong? Let us know Last updated on September 04, 2025