CVE-2025-54881 in mermaid
Summary
by MITRE • 08/19/2025
Mermaid is a JavaScript based diagramming and charting tool that uses Markdown-inspired text definitions and a renderer to create and modify complex diagrams. In the default configuration of mermaid 10.9.0-rc.1 to 11.9.0, user supplied input for sequence diagram labels is passed to innerHTML during calculation of element size, causing XSS.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 09/01/2025
CVE-2025-54881 represents a cross-site scripting vulnerability discovered in the Mermaid JavaScript library affecting versions 10.9.0-rc.1 through 11.9.0. This vulnerability stems from the improper handling of user-supplied input within sequence diagram labels, where the library directly passes this input to the innerHTML property during element size calculations. The flaw occurs when Mermaid processes Markdown-inspired text definitions for diagram rendering, specifically in the context of sequence diagrams where labels are used to identify participants or messages. The vulnerability is classified under CWE-79 as Cross-site Scripting, which is a critical security weakness that allows attackers to inject malicious scripts into web pages viewed by other users. The attack vector is particularly concerning because it leverages the legitimate functionality of the diagramming tool, making it difficult to distinguish between benign user input and malicious payloads. When users create sequence diagrams with specially crafted labels containing script tags or other malicious code, the Mermaid library's processing logic executes this code during the rendering phase, potentially leading to session hijacking, data theft, or unauthorized actions performed on behalf of the victim. The vulnerability's impact extends beyond simple XSS as it can be exploited in combination with other techniques to perform more sophisticated attacks. The operational implications are significant for organizations relying on Mermaid for documentation, presentations, or collaborative environments where user input is accepted. Attackers could craft sequence diagram labels containing malicious JavaScript that executes when the diagram is rendered in a web browser, particularly in environments where diagrams are shared across teams or published on websites. This vulnerability directly relates to the ATT&CK technique T1211 - Exploitation for Defense Evasion, as it can be used to establish persistent access or evade security controls through the execution of malicious scripts. The vulnerability demonstrates a classic improper input validation issue where user-supplied data is not properly sanitized before being used in DOM manipulation operations. The fact that this affects the default configuration means that organizations using Mermaid in their standard deployments are potentially exposed without requiring any special configuration or setup. Organizations utilizing Mermaid for generating documentation, presentations, or collaborative diagrams should immediately consider updating to patched versions or implementing additional input sanitization measures as a temporary mitigation. The vulnerability underscores the importance of proper output encoding and input validation in web applications, particularly when processing user-generated content that will be rendered in browsers. Security teams should monitor for any potential exploitation attempts and ensure that all Mermaid dependencies are updated to versions that address this specific XSS vulnerability. The affected versions represent a broad range of the library's releases, indicating that this issue has been present for an extended period and could have been exploited in various environments where Mermaid is used for diagram generation.