{"id":"GHSA-6m6c-36f7-fhxh","summary":"Mermaid Gantt Charts are vulnerable to an Infinite Loop DoS","details":"### Impact\n\nMermaid v11.14.0 and earlier are vulnerable to a denial-of-service attack when rendering gantt charts, if they use the [`excludes` attribute](https://mermaid.js.org/syntax/gantt.html?#excludes) to exclude all dates.\n\nExample:\n\n```\ngantt\n  excludes monday,tuesday,wednesday,thursday,friday,saturday,sunday\n  DoS :2025-01-01, 1d\n```\n\n`mermaid.parse` is unaffected, unless you then call the `ganttDb.getTasks()` (which is called when rendering a diagram).\n\n### Patches\n\nThis has been patched in:\n\n- [v11.15.0](https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) (see [faafb5d49106dd32c367f3882505f2dd625aa30e](https://github.com/mermaid-js/mermaid/commit/faafb5d49106dd32c367f3882505f2dd625aa30e))\n- [v10.9.6](https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6) (see [a59ea56174712ee5430dfd5bc877cb5151f501a6](https://github.com/mermaid-js/mermaid/commit/a59ea56174712ee5430dfd5bc877cb5151f501a6))\n\n### Workarounds\n\nThere are no workarounds available without updating to a newer version of mermaid.","aliases":["CVE-2026-41150"],"modified":"2026-05-11T19:49:04.854063Z","published":"2026-05-11T19:36:55Z","database_specific":{"cwe_ids":["CWE-835"],"nvd_published_at":null,"severity":"MODERATE","github_reviewed":true,"github_reviewed_at":"2026-05-11T19:36:55Z"},"references":[{"type":"WEB","url":"https://github.com/mermaid-js/mermaid/security/advisories/GHSA-6m6c-36f7-fhxh"},{"type":"WEB","url":"https://github.com/mermaid-js/mermaid/commit/a59ea56174712ee5430dfd5bc877cb5151f501a6"},{"type":"WEB","url":"https://github.com/mermaid-js/mermaid/commit/faafb5d49106dd32c367f3882505f2dd625aa30e"},{"type":"PACKAGE","url":"https://github.com/mermaid-js/mermaid"},{"type":"WEB","url":"https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0"},{"type":"WEB","url":"https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6"}],"affected":[{"package":{"name":"mermaid","ecosystem":"npm","purl":"pkg:npm/mermaid"},"ranges":[{"type":"SEMVER","events":[{"introduced":"11.0.0-alpha.1"},{"fixed":"11.15.0"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-6m6c-36f7-fhxh/GHSA-6m6c-36f7-fhxh.json","last_known_affected_version_range":"\u003c= 11.14.0"}},{"package":{"name":"mermaid","ecosystem":"npm","purl":"pkg:npm/mermaid"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"10.9.6"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-6m6c-36f7-fhxh/GHSA-6m6c-36f7-fhxh.json","last_known_affected_version_range":"\u003c= 10.9.5"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L"}]}