GHSA-8gwm-58g9-j8pw
Suggest an improvement- Source
- https://github.com/advisories/GHSA-8gwm-58g9-j8pw
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-8gwm-58g9-j8pw/GHSA-8gwm-58g9-j8pw.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-8gwm-58g9-j8pw
- Aliases
- Related
- Published
- 2025-08-19T20:16:45Z
- Modified
- 2025-08-20T19:13:27Z
- Severity
-
- 5.1 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N CVSS Calculator
- Summary
- Mermaid does not properly sanitize architecture diagram iconText leading to XSS
- Details
-
Summary
In the default configuration of mermaid 11.9.0, user supplied input for architecture diagram icons is passed to the d3
html()method, creating a sink for cross site scripting.Details
Architecture diagram service
iconTextvalues are passed to the d3html()method, allowing malicious users to inject arbitrary HTML and cause XSS when mermaid-js is used in it's default configuration.The vulnerability lies here:
export const drawServices = async function ( db: ArchitectureDB, elem: D3Element, services: ArchitectureService[] ): Promise<number> { for (const service of services) { /** ... **/ } else if (service.iconText) { bkgElem.html( `<g>${await getIconSVG('blank', { height: iconSize, width: iconSize, fallbackPrefix: architectureIcons.prefix })}</g>` ); const textElemContainer = bkgElem.append('g'); const fo = textElemContainer .append('foreignObject') .attr('width', iconSize) .attr('height', iconSize); const divElem = fo .append('div') .attr('class', 'node-icon-text') .attr('style', `height: ${iconSize}px;`) .append('div') .html(service.iconText); // <- iconText passed into innerHTML /** ... **/ }; };This issue was introduced with 734bde38777c9190a5a72e96421c83424442d4e4, around 15 months ago, which was released in v11.1.0.
PoC
Render the following diagram and observe the modified DOM.
architecture-beta group api(cloud)[API] service db "<img src=x onerror=\"document.write(`xss on ${document.domain}`)\">" [Database] in apiHere is a PoC on mermaid.live: https://mermaid.live/edit#pako:eNo9T8FOwzAMZXI4rBJpWrpRtuIISF24caZZdKyxOsiLUnlJjCo-u9kQ8wX-n5-dkjKK8ROEhSRxNQhUh4v8cghWMpOvKxZ7I3M3XyUc83L-9v2z9qQPo0CpneMwFPxnZsILU6M--QyNNKCAHaq2jRhfyL0vLZ7jwMiWd3443Q3krjpt38Mv4sgG3WMsi9HHDLjLs4CwcZdGQ08EARM7BISZMgjJdLBIQjWhTAU6nxIOMpCBBuSrJeugv7b8yPdMdgRkaUgo9loGXBvZkbS3LqHTSK8-ugC8LMrrEuAjnIEvlnlVL9q6rZu6Lh-rRQbfwKuyyZuybcvqIaWiqKcMfq6uRd7Uy-kXhYFzcA
Impact
XSS on all sites that use mermaid and render user supplied diagrams without further sanitization.
Remediation
Sanitize the value of
iconTextbefore passing it tohtml(). - Database specific
{ "github_reviewed_at": "2025-08-19T20:16:45Z", "severity": "MODERATE", "cwe_ids": [ "CWE-79" ], "nvd_published_at": "2025-08-19T17:15:41Z", "github_reviewed": true }- References
-
- https://github.com/mermaid-js/mermaid/security/advisories/GHSA-8gwm-58g9-j8pw
- https://nvd.nist.gov/vuln/detail/CVE-2025-54880
- https://github.com/mermaid-js/mermaid/commit/2aa83302795183ea5c65caec3da1edd6cb4791fc
- https://github.com/mermaid-js/mermaid/commit/734bde38777c9190a5a72e96421c83424442d4e4
- https://github.com/mermaid-js/mermaid
Affected packages
npm / mermaid
Package
- Name
- mermaid
- View open source insights on deps.dev
- Purl
- pkg:npm/mermaid