CVE-2025-54880 – Mermaid versions 11.9.0 and earlier have a cros... (How to Fix)

Q: What is the severity of CVE-2025-54880?

CVE-2025-54880 has a CVSS score of 6.1 (MEDIUM). Mermaid versions 11.9.0 and earlier have a cross-site scripting (XSS) vulnerability in architecture diagram icons where user input is passed to the d3 html() method without proper sanitization. This allows attackers to inject malicious scripts that execute in victims' browsers when viewing diagrams. Anyone using vulnerable Mermaid versions in web applications is affected.

📋 TL;DR

Mermaid versions 11.9.0 and earlier have a cross-site scripting (XSS) vulnerability in architecture diagram icons where user input is passed to the d3 html() method without proper sanitization. This allows attackers to inject malicious scripts that execute in victims' browsers when viewing diagrams. Anyone using vulnerable Mermaid versions in web applications is affected.

💻 Affected Systems

Products:

Mermaid

Versions: 11.9.0 and earlier

Operating Systems: All platforms running JavaScript

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in default configuration when user-supplied input is used for architecture diagram icons.

📦 What is this software?

Mermaid by Mermaid Project

View all CVEs affecting Mermaid →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, perform actions as authenticated users, deface websites, or redirect users to malicious sites through injected JavaScript payloads.

🟠

Likely Case

Limited XSS attacks stealing user data or session information from users who view maliciously crafted diagrams.

🟢

If Mitigated

No impact if input validation and output encoding are properly implemented, or if the application runs in a sandboxed environment.

🌐 Internet-Facing: HIGH - Web applications using Mermaid that accept user input for diagrams are directly exposed to XSS attacks from external attackers.

🏢 Internal Only: MEDIUM - Internal applications could still be vulnerable to insider threats or compromised internal accounts.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires ability to inject malicious input into architecture diagram icons that gets rendered by vulnerable Mermaid instances.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 11.10.0

Vendor Advisory: https://github.com/mermaid-js/mermaid/security/advisories/GHSA-8gwm-58g9-j8pw

Restart Required: No

Instructions:

1. Update Mermaid to version 11.10.0 or later. 2. For npm: 'npm update mermaid'. 3. For yarn: 'yarn upgrade mermaid'. 4. Verify the update in package.json shows version 11.10.0+.

🔧 Temporary Workarounds

Input Sanitization

all

Implement strict input validation and output encoding for all user-supplied diagram icon data before passing to Mermaid.

Content Security Policy

all

Implement strict Content Security Policy headers to mitigate XSS impact by restricting script execution sources.

🧯 If You Can't Patch

Disable user input for architecture diagram icons in Mermaid configuration
Implement web application firewall rules to detect and block XSS payloads in diagram data

🔍 How to Verify

Check if Vulnerable:

Check package.json or node_modules/mermaid/package.json for version number. If version is 11.9.0 or earlier, the system is vulnerable.

Check Version:

npm list mermaid | grep mermaid or check package.json for "mermaid" version

Verify Fix Applied:

Confirm Mermaid version is 11.10.0 or later. Test with known safe XSS payloads in diagram icons to ensure they are properly sanitized.

📡 Detection & Monitoring

Log Indicators:

Unusual JavaScript execution in diagram rendering contexts
Suspicious strings in diagram data inputs

Network Indicators:

Unexpected external script loads from diagram rendering pages

SIEM Query:

web_logs WHERE url_path CONTAINS 'mermaid' AND (request_body CONTAINS '<script>' OR request_body CONTAINS 'javascript:' OR request_body CONTAINS 'onload=')

📊 Metadata

CVE ID: CVE-2025-54880

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.03% exploit probability (6.8th percentile)

Published: August 19, 2025

Last Updated: October 20, 2025

🔗 References

https://github.com/mermaid-js/mermaid/commit/2aa83302795183ea5c65caec3da1edd6cb4791fc Patch
https://github.com/mermaid-js/mermaid/commit/734bde38777c9190a5a72e96421c83424442d4e4 Product
https://github.com/mermaid-js/mermaid/security/advisories/GHSA-8gwm-58g9-j8pw Exploit,Patch,Vendor Advisory
https://github.com/mermaid-js/mermaid/security/advisories/GHSA-8gwm-58g9-j8pw Exploit,Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-54880, you might also want to check these: