GHSA-6m6c-36f7-fhxh

Source

https://github.com/advisories/GHSA-6m6c-36f7-fhxh

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-6m6c-36f7-fhxh/GHSA-6m6c-36f7-fhxh.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-6m6c-36f7-fhxh

Aliases

CVE-2026-41150

Published

2026-05-11T19:36:55Z

Modified

2026-05-11T19:49:04.854063Z

Severity

5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L CVSS Calculator

Summary

Mermaid Gantt Charts are vulnerable to an Infinite Loop DoS

Details

Impact

Mermaid v11.14.0 and earlier are vulnerable to a denial-of-service attack when rendering gantt charts, if they use the excludes attribute to exclude all dates.

Example:

gantt
  excludes monday,tuesday,wednesday,thursday,friday,saturday,sunday
  DoS :2025-01-01, 1d

mermaid.parse is unaffected, unless you then call the ganttDb.getTasks() (which is called when rendering a diagram).

Patches

This has been patched in:

Workarounds

There are no workarounds available without updating to a newer version of mermaid.

Database specific

{
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-11T19:36:55Z",
    "cwe_ids": [
        "CWE-835"
    ],
    "severity": "MODERATE",
    "nvd_published_at": null
}

References

Affected packages

npm / mermaid

Package

Name: mermaid; View open source insights on deps.dev
Purl: pkg:npm/mermaid

Affected ranges

Type: SEMVER
Events: Introduced

11.0.0-alpha.1

Fixed

11.15.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-6m6c-36f7-fhxh/GHSA-6m6c-36f7-fhxh.json"

last_known_affected_version_range

"<= 11.14.0"