Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2025-54881

Good to know:

icon

Date: August 19, 2025

Mermaid is a JavaScript based diagramming and charting tool that uses Markdown-inspired text definitions and a renderer to create and modify complex diagrams. In the default configuration of mermaid 10.9.0-rc.1 to 11.9.0, user supplied input for sequence diagram labels is passed to innerHTML during calculation of element size, causing XSS.

Severity Score

Related Resources (7)

https://github.com/mermaid-js/mermaid/security/advisories/GHSA-7rqq-prvp-x9jh
https://github.com/mermaid-js/mermaid/commit/685516a85ec1df64cefd4fd15f26533be87d458e
https://github.com/mermaid-js/mermaid
https://security-tracker.debian.org/tracker/CVE-2025-54881
https://nvd.nist.gov/vuln/detail/CVE-2025-54881
https://github.com/mermaid-js/mermaid/commit/5c69e5fdb004a6d0a2abe97e23d26e223a059832
https://www.mend.io/vulnerability-database/CVE-2025-54881

Weakness Type (CWE)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79

Top Fix

icon

Upgrade Version

Upgrade to version mermaid - 11.10.0;mermaid - 11.10.0;mermaid - 10.9.4;mermaid - 11.10.0;mermaid - 11.10.0;mermaid - 10.9.4;https://github.com/mermaid-js/mermaid.git - mermaid@11.10.0

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): REQUIRED
Scope (S): CHANGED
Confidentiality (C): NONE
Integrity (I): NONE
Availability (A): NONE

Do you need more information?

Contact Us