CVE-2025-54880
BaseFortify
Publication date: 2025-08-19
Last updated on: 2025-10-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mermaid_project | mermaid | From 11.1.0 (inc) to 11.10.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-54880 is a cross-site scripting (XSS) vulnerability in the mermaid JavaScript diagramming tool (versions up to 11.9.0). It occurs because user-supplied input for architecture diagram icons (specifically the iconText field) is passed directly to the d3.html() method without sanitization. This allows attackers to inject malicious HTML or JavaScript code into diagrams, which can then execute in the context of the user's browser when the diagram is rendered. The vulnerability arises from improper neutralization of input during web page generation. [1]
How can this vulnerability impact me? :
If you use mermaid to render user-supplied architecture diagrams without additional input sanitization, this vulnerability can allow attackers to execute arbitrary JavaScript in your users' browsers via injected malicious code in icon labels. This can lead to theft of sensitive information, session hijacking, or other malicious actions performed in the context of your web application. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your system uses mermaid versions up to and including 11.9.0 that render architecture diagrams with user-supplied iconText input without sanitization. Since the vulnerability involves injection of malicious HTML/JavaScript via the iconText field passed to d3.html(), you can detect attempts by monitoring for suspicious payloads in architecture diagram inputs or by scanning your codebase for usage of mermaid versions <= 11.9.0. There are no specific commands provided in the resources, but you can verify the mermaid version with commands like `npm list mermaid` or `yarn list mermaid` in your project. Additionally, you can inspect rendered diagrams for unexpected HTML elements or scripts. For automated detection, you might use security scanners that detect XSS vulnerabilities in web applications rendering mermaid diagrams. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading mermaid to version 11.10.0 or later where the vulnerability is fixed by sanitizing the iconText input before rendering. If upgrading is not immediately possible, sanitize or validate any user-supplied input for architecture diagram icons before passing it to mermaid. Avoid rendering untrusted input directly in architecture diagrams. Applying input sanitization functions to icon labels and SVG content, as implemented in the patch, will prevent malicious script injection. Monitoring and restricting user input to safe characters or escaping HTML can also help mitigate the risk until the patched version is adopted. [1, 2]