{"id":"CVE-2025-54881","summary":"Mermaid improperly sanitizes of sequence diagram labels leading to XSS","details":"Mermaid is a JavaScript based diagramming and charting tool that uses Markdown-inspired text definitions and a renderer to create and modify complex diagrams. In the default configuration of mermaid 10.9.0-rc.1 to 11.9.0, user supplied input for sequence diagram labels is passed to innerHTML during calculation of element size, causing XSS.","aliases":["GHSA-7rqq-prvp-x9jh"],"modified":"2026-04-10T05:29:42.287821Z","published":"2025-08-19T17:04:29.453Z","related":["CGA-ww8q-hxq6-mjr6"],"database_specific":{"cwe_ids":["CWE-79"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/54xxx/CVE-2025-54881.json","cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/54xxx/CVE-2025-54881.json"},{"type":"ADVISORY","url":"https://github.com/mermaid-js/mermaid/security/advisories/GHSA-7rqq-prvp-x9jh"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-54881"},{"type":"FIX","url":"https://github.com/mermaid-js/mermaid/commit/5c69e5fdb004a6d0a2abe97e23d26e223a059832"},{"type":"FIX","url":"https://github.com/mermaid-js/mermaid/commit/685516a85ec1df64cefd4fd15f26533be87d458e"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/mermaid-js/mermaid","events":[{"introduced":"0"},{"fixed":"5c69e5fdb004a6d0a2abe97e23d26e223a059832"}]},{"type":"GIT","repo":"https://github.com/mermaid-js/mermaid","events":[{"introduced":"0"},{"fixed":"685516a85ec1df64cefd4fd15f26533be87d458e"}]}],"versions":["0.1.0","0.1.1","0.2.0","0.2.1","0.2.13","0.2.14","0.2.15","0.2.16","0.2.2","0.2.3","0.2.4","0.2.5","0.2.6","0.2.7","0.2.8","0.3.0","0.3.1","0.3.2","0.3.3","0.3.4","0.3.5","0.4.0","0.5.0","0.5.1","0.5.2","0.5.3","0.5.4","0.5.5","0.5.6","0.5.7","6.0.0","7.0.0","7.0.2","7.0.3","7.0.5","8.1.0","8.11.0-rc2","8.11.3","8.11.4","8.12.1","8.13.10","8.13.11","8.13.5","8.13.6","8.13.7","8.2.0","8.2.1","8.2.2","8.2.3","8.2.4","8.2.5","8.2.6","8.3.0","8.4.4","8.4.6","8.4.8","8.5.1","8.5.2","8.6.0","8.6.2","8.7.0","8.8.0","8.8.3","8.9.1","8.9.3","9.1.2","9.1.3","9.1.5","@mermaid-js/layout-elk@0.1.1","@mermaid-js/layout-elk@0.1.2","@mermaid-js/layout-elk@0.1.3","@mermaid-js/layout-elk@0.1.4","@mermaid-js/layout-elk@0.1.5","@mermaid-js/layout-elk@0.1.6","@mermaid-js/layout-elk@0.1.7","@mermaid-js/layout-elk@0.1.8","@mermaid-js/mermaid-zenuml@0.2.1","@mermaid-js/parser@0.2.0","@mermaid-js/parser@0.3.0","@mermaid-js/parser@0.4.0","@mermaid-js/parser@0.5.0","@mermaid-js/parser@0.6.0","@mermaid-js/parser@0.6.1","@mermaid-js/tiny@11.7.0","@mermaid-js/tiny@11.8.0","@mermaid-js/tiny@11.8.1","mermaid@11.0.1","mermaid@11.0.2","mermaid@11.1.0","mermaid@11.1.1","mermaid@11.2.0","mermaid@11.2.1","mermaid@11.3.0","mermaid@11.4.0","mermaid@11.4.1","mermaid@11.5.0","mermaid@11.6.0","mermaid@11.7.0","mermaid@11.8.0","mermaid@11.8.1","untagged-31c93788afe260d914bb","untagged-566ebfbf21141b604025","untagged-7651dabb407ecd5631ce","untagged-f43366252632a1a42020","v10.1.0","v10.3.0","v10.4.0","v10.7.0","v10.9.0","v11.0.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-54881.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"}]}