CVE-2026-41150
Denial-of-Service in Mermaid via Gantt Chart Excludes
Publication date: 2026-05-29
Last updated on: 2026-05-29
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mermaid-js | mermaid | to 10.9.6 (inc) |
| mermaid-js | mermaid | to 11.15.0 (inc) |
| mermaid-js | mermaid | From 10.9.6 (exc) to 11.14.0 (inc) |
| mermaid-js | mermaid | to 10.9.6 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-835 | The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
This vulnerability affects the Mermaid JavaScript library's Gantt chart rendering functionality. When a Gantt chart uses the 'excludes' attribute to exclude all dates, it causes an infinite loop during rendering. Specifically, the function responsible for adjusting task dates enters a loop that never finds a valid date, leading to a denial-of-service (DoS) condition by exhausting system resources.
The vulnerability does not affect the parsing function 'mermaid.parse' unless the rendering function 'ganttDb.getTasks()' is called afterward. The issue was fixed by adding a loop iteration limit to prevent infinite looping and throwing an error if no valid date is found within that limit.
How can this vulnerability impact me? :
This vulnerability can impact you by causing a denial-of-service (DoS) condition when rendering Gantt charts that exclude all dates. The infinite loop consumes excessive CPU and memory resources, potentially making the application or system unresponsive or crashing it.
The attack can be triggered remotely over the network without requiring any privileges or user interaction, making it easier for attackers to exploit. The primary impact is on system availability, disrupting normal operations.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability occurs when rendering Mermaid Gantt charts that use the excludes attribute to exclude all dates, causing an infinite loop denial-of-service. Detection involves identifying Mermaid versions vulnerable to this issue (versions prior to 10.9.6 and 11.15.0) and checking if Gantt charts are rendered with excludes attributes that exclude all days.
Since the vulnerability is triggered by specific Mermaid Gantt chart configurations, detection on a system or network could involve:
- Checking the Mermaid library version used in your environment to see if it is older than 10.9.6 or 11.15.0.
- Reviewing Mermaid Gantt chart definitions for the use of the excludes attribute that excludes all days (e.g., excludes monday,tuesday,wednesday,thursday,friday,saturday,sunday).
- Monitoring for symptoms of denial-of-service such as high CPU usage or unresponsive rendering processes when Mermaid diagrams are processed.
No specific commands are provided in the resources to detect this vulnerability directly on a network or system.
What immediate steps should I take to mitigate this vulnerability?
The primary and recommended mitigation step is to update the Mermaid library to a fixed version.
- Upgrade Mermaid to version 11.15.0 or later.
- Alternatively, upgrade to version 10.9.6 or later if using the 10.x branch.
No other workarounds or mitigations exist besides updating to a patched version, as the vulnerability is due to an infinite loop triggered by certain excludes attribute values.