CVE-2025-54881
BaseFortify
Publication date: 2025-08-19
Last updated on: 2025-08-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mermaid-js | mermaid | 11.9.0 |
| mermaid-js | mermaid | 10.9.0-rc.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-54881 is a cross-site scripting (XSS) vulnerability in the mermaid-js/mermaid JavaScript library versions 10.9.0-rc.1 to 11.9.0. The vulnerability occurs because user-supplied input for sequence diagram labels is passed directly to the innerHTML property without sanitization during the calculation of element size. Specifically, the function calculateMathMLDimensions renders labels using KaTeX and assigns the resulting HTML string to a div's innerHTML, allowing malicious users to inject arbitrary HTML and JavaScript. This can lead to execution of malicious scripts when the diagram is rendered. [1]
How can this vulnerability impact me? :
This vulnerability can allow attackers to execute arbitrary JavaScript in the context of any website or application that uses the vulnerable versions of mermaid to render user-supplied diagrams without additional sanitization. This can lead to theft of sensitive information, session hijacking, defacement, or other malicious actions performed by injected scripts. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your system uses vulnerable versions of the mermaid-js/mermaid package (versions 10.9.0-rc.1 up to 11.9.0) that render user-supplied input for sequence diagram labels without sanitization, especially when KaTeX is enabled. A practical detection method is to test rendering a sequence diagram with a malicious label containing an XSS payload, such as an image tag with an onerror event, and observe if the script executes. For example, you can create a Mermaid diagram with the following content and render it in your environment: ``` sequenceDiagram participant A as Alice<img src="x" onerror="document.write(`xss on ${document.domain}`)"> $$\text{Alice}$$ A->>John: Hello John, how are you? Alice-)John: See you later! ``` If the script executes or the injected HTML is rendered, your system is vulnerable. There are no specific network commands provided, but testing rendering behavior in your application or environment is the recommended approach. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include sanitizing user-supplied input before it is assigned to innerHTML in the vulnerable function. Specifically, ensure that the text passed to the `calculateMathMLDimensions` function is sanitized to neutralize any malicious HTML or scripts. If you maintain the mermaid-js/mermaid codebase, apply the patch that introduces sanitization of KaTeX blocks and HTML labels as described in the fix, which replaces the vulnerable rendering with a sanitized version. Until a patched version is available, avoid rendering untrusted user input with KaTeX enabled or disable KaTeX support if possible. Additionally, review your usage of Mermaid diagrams to prevent rendering of untrusted content without sanitization. [1, 3]