Description
In the default configuration of mermaid 11.9.0, user supplied input for sequence diagram labels is passed to innerHTML during calculation of element size, causing XSS.
Recommendation
Update the mermaid package to the latest compatible version. Followings are version details:
Affected version(s): **>= 10.9.0-rc.1, < 10.9.4 >= 11.0.0-alpha.1, < 11.10.0** Patched version(s): **10.9.4 11.10.0**
References
Related Issues
- Finance.js vulnerable to DoS via the IRR function’s depth parameter - CVE-2025-56571
- Payload does not invalidate JWTs after log out (GHSA-5v66-m237-hwf7) - CVE-2025-4643
- Mermaid does not properly sanitize architecture diagram iconText leading to XSS - CVE-2025-54880
- Vite's server.fs.deny bypassed with /. for files under project root - CVE-2025-46565
- Tags:
- npm
- mermaid
Anything's wrong? Let us know Last updated on September 04, 2025