CVE-2025-54880

Mermaid is a JavaScript based diagramming and charting tool that uses Markdown-inspired text definitions and a renderer to create and modify complex diagrams. In the default configuration of mermaid 11.9.0 and earlier, user supplied input for architecture diagram icons is passed to the d3 html() method, creating a sink for cross site scripting. This vulnerability is fixed in 11.10.0.

References

Affected packages

Debian:11 / node-mermaid

Package

Name: node-mermaid
Purl: pkg:deb/debian/node-mermaid?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

8.*

8.7.0+ds+~cs27.17.17-3

8.7.0+ds+~cs27.17.17-3+deb11u1

8.7.0+ds+~cs27.17.17-3+deb11u2

8.9.1+ds+~cs26.20.25-1

8.9.3+ds+~cs29.13.19-1

8.11.0+ds+~cs29.13.22-1

8.13.2+ds+~cs30.13.21-1

8.13.2+ds+~cs30.13.21-1.1

8.13.3+ds+~cs26.13.21-1

8.13.3+ds+~cs26.13.21-2

8.13.8+~cs10.4.16-1

8.14.0+~cs11.4.14-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/mermaid-js/mermaid

Affected ranges

Type: GIT
Repo: https://github.com/mermaid-js/mermaid
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

2aa83302795183ea5c65caec3da1edd6cb4791fc

Fixed

734bde38777c9190a5a72e96421c83424442d4e4

Affected versions

0.*

0.1.0

0.1.1

0.2.0

0.2.1

0.2.10

0.2.13

0.2.14

0.2.15

0.2.16

0.2.2

0.2.3

0.2.4

0.2.5

0.2.6

0.2.7

0.2.8

0.2.9

0.3.0

0.3.1

0.3.2

0.3.3

0.3.4

0.3.5

0.4.0

0.5.0

0.5.1

0.5.2

0.5.3

0.5.4

0.5.5

0.5.6

0.5.7

0.5.8

6.*

6.0.0

7.*

7.0.0

7.0.2

7.0.3

7.0.5

8.*

8.1.0

8.10.1

8.11.0

8.11.0-rc2

8.11.1

8.11.2

8.11.3

8.11.4

8.12.0

8.12.1

8.13.0

8.13.1

8.13.10

8.13.11

8.13.2

8.13.3

8.13.4

8.13.5

8.13.6

8.13.7

8.13.8

8.13.9

8.14.0

8.2.0

8.2.1

8.2.2

8.2.3

8.2.4

8.2.5

8.2.6

8.3.0

8.4.0

8.4.1

8.4.2

8.4.3

8.4.4

8.4.6

8.4.8

8.5.1

8.5.2

8.6.0

8.6.2

8.6.3

8.6.4

8.7.0

8.8.0

8.8.1

8.8.2

8.8.3

8.9.0

8.9.1

8.9.2

8.9.3

9.*

9.0.0

9.0.1

9.1.0

9.1.1

9.1.2

9.1.3

9.1.4

9.1.5

9.1.6

@mermaid-js/layout-elk@0.*

@mermaid-js/layout-elk@0.1.1

@mermaid-js/layout-elk@0.1.2

@mermaid-js/layout-elk@0.1.3

@mermaid-js/layout-elk@0.1.4

@mermaid-js/layout-elk@0.1.5

@mermaid-js/layout-elk@0.1.6

@mermaid-js/layout-elk@0.1.7

@mermaid-js/layout-elk@0.1.8

@mermaid-js/mermaid-zenuml@0.*

@mermaid-js/mermaid-zenuml@0.2.1

@mermaid-js/parser@0.*

@mermaid-js/parser@0.2.0

@mermaid-js/parser@0.3.0

@mermaid-js/parser@0.4.0

@mermaid-js/parser@0.5.0

@mermaid-js/parser@0.6.0

@mermaid-js/parser@0.6.1

@mermaid-js/tiny@11.*

@mermaid-js/tiny@11.7.0

@mermaid-js/tiny@11.8.0

@mermaid-js/tiny@11.8.1

mermaid@11.*

mermaid@11.0.1

mermaid@11.0.2

mermaid@11.1.0

mermaid@11.1.1

mermaid@11.2.0

mermaid@11.2.1

mermaid@11.3.0

mermaid@11.4.0

mermaid@11.4.1

mermaid@11.5.0

mermaid@11.6.0

mermaid@11.7.0

mermaid@11.8.0

mermaid@11.8.1

mermaid@11.9.0

real-8.*

real-8.13.5

Other

untagged-31c93788afe260d914bb

untagged-502e9410f3e7fd2ed484

untagged-566ebfbf21141b604025

untagged-7651dabb407ecd5631ce

untagged-78173a5e15ffdf8f1e6a

untagged-f43366252632a1a42020

untagged-f83ec2a9deaf6677e0c7

v10.*

v10.0.0

v10.0.1

v10.0.2

v10.1.0

v10.2.0

v10.2.1

v10.2.2

v10.2.3

v10.2.4

v10.3.0

v10.3.1

v10.4.0

v10.5.0

v10.5.1

v10.6.0

v10.6.1

v10.7.0

v10.8.0

v10.9.0

v10.9.1

v11.*

v11.0.0

v8.*

v8.8.4

v9.*

v9.1.7

v9.2.0

v9.2.1

v9.2.2

v9.3.0

v9.4.0

v9.4.2

v9.4.3