GHSA-7rqq-prvp-x9jh
Suggest an improvement- Source
- https://github.com/advisories/GHSA-7rqq-prvp-x9jh
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-7rqq-prvp-x9jh/GHSA-7rqq-prvp-x9jh.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-7rqq-prvp-x9jh
- Aliases
- Related
- Published
- 2025-08-19T20:16:58Z
- Modified
- 2025-08-22T22:52:04Z
- Severity
-
- 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N CVSS Calculator
- Summary
- Mermaid improperly sanitizes sequence diagram labels leading to XSS
- Details
-
Summary
In the default configuration of mermaid 11.9.0, user supplied input for sequence diagram labels is passed to
innerHTMLduring calculation of element size, causing XSS.Details
Sequence diagram node labels with KaTeX delimiters are passed through
calculateMathMLDimensions. This method passes the full label toinnerHTMLwhich allows allows malicious users to inject arbitrary HTML and cause XSS when mermaid-js is used in it's default configuration (with KaTeX support enabled).The vulnerability lies here:
export const calculateMathMLDimensions = async (text: string, config: MermaidConfig) => { text = await renderKatex(text, config); const divElem = document.createElement('div'); divElem.innerHTML = text; // XSS sink, text has not been sanitized. divElem.id = 'katex-temp'; divElem.style.visibility = 'hidden'; divElem.style.position = 'absolute'; divElem.style.top = '0'; const body = document.querySelector('body'); body?.insertAdjacentElement('beforeend', divElem); const dim = { width: divElem.clientWidth, height: divElem.clientHeight }; divElem.remove(); return dim; };The
calculateMathMLDimensionsmethod was introduced in 5c69e5fdb004a6d0a2abe97e23d26e223a059832 two years ago, which was released in Mermaid 10.9.0.PoC
Render the following diagram and observe the modified DOM.
sequenceDiagram participant A as Alice<img src="x" onerror="document.write(`xss on ${document.domain}`)">$$\\text{Alice}$$ A->>John: Hello John, how are you? Alice-)John: See you later!Here is a PoC on mermaid.live: https://mermaid.live/edit#pako:eNpVUMtOwzAQBWzyoFKaRTyaFILiio4IK7ckA-1km1iKbaLY6spUf4dJ0AF68uOZ2dm7REqXSNQ6PHDoarwWfDGcMkUudaJGysqceLKkj3hPdl3osJ7IRvSm-qBwcCAaIXGaONRrSsnUdnobITF28PQ954lwXglai25UNNhxWAXBMyXxcGOi-3kL5k79e73atuFSUv2HWazH1IWn0m3CC5aPf4b3p2WK--BW-4DJCOWzQ3TM0HQmiMqIFa4zAEicZv4iGMsw0D26JEBtS3NR656ywDpiYv86911r-Ko12TQv0yLveI3eqfcjP111HUNVonrRTFuhdsVgAHWEAmuRxlG7SuEzKMi-yJAnhAjTLIkEcbFJtuk2y9MphM8lM47KIp--AOZghtU
Impact
XSS on all sites that use mermaid and render user supplied diagrams without further sanitization.
Remediation
The value of the
textargument for thecalculateMathMLDimensionsmethod needs to be sanitized before getting passed on toinnerHTML. - Database specific
{ "github_reviewed_at": "2025-08-19T20:16:58Z", "severity": "MODERATE", "cwe_ids": [ "CWE-79" ], "nvd_published_at": "2025-08-19T17:15:41Z", "github_reviewed": true }- References
-
- https://github.com/mermaid-js/mermaid/security/advisories/GHSA-7rqq-prvp-x9jh
- https://nvd.nist.gov/vuln/detail/CVE-2025-54881
- https://github.com/mermaid-js/mermaid/commit/5c69e5fdb004a6d0a2abe97e23d26e223a059832
- https://github.com/mermaid-js/mermaid/commit/685516a85ec1df64cefd4fd15f26533be87d458e
- https://github.com/mermaid-js/mermaid
Affected packages
npm / mermaid
Package
- Name
- mermaid
- View open source insights on deps.dev
- Purl
- pkg:npm/mermaid
npm / mermaid
Package
- Name
- mermaid
- View open source insights on deps.dev
- Purl
- pkg:npm/mermaid