Description
In the default configuration of mermaid 11.9.0, user supplied input for sequence diagram labels is passed to innerHTML during calculation of element size, causing XSS.
Recommendation
Update the mermaid package to the latest compatible version. Followings are version details:
Affected version(s): **>= 10.9.0-rc.1, < 10.9.4 >= 11.0.0-alpha.1, < 11.10.0** Patched version(s): **10.9.4 11.10.0**
References
Related Issues
- Mermaid does not properly sanitize architecture diagram iconText leading to XSS - CVE-2025-54880
- Excalidraw vulnerable to XSS via Mermaid sequence diagram labels (KaTeX rendering) - Vulnerability
- AngularJS improperly sanitizes SVG elements - CVE-2025-0716
- Webrecorder packages are vulnerable to XSS through 404 error handling logic - replaywebpage - CVE-2025-58765
You might also like:
- Tags:
- npm
- mermaid
Anything's wrong? Let us know Last updated on September 04, 2025


