CVE-2025-54880: Mermaid does not properly sanitize architecture diagram iconText leading to XSS
(updated )
In the default configuration of mermaid 11.9.0, user supplied input for architecture diagram icons is passed to the d3 html() method, creating a sink for cross site scripting.
References
- github.com/advisories/GHSA-8gwm-58g9-j8pw
- github.com/mermaid-js/mermaid
- github.com/mermaid-js/mermaid/commit/2aa83302795183ea5c65caec3da1edd6cb4791fc
- github.com/mermaid-js/mermaid/commit/734bde38777c9190a5a72e96421c83424442d4e4
- github.com/mermaid-js/mermaid/security/advisories/GHSA-8gwm-58g9-j8pw
- nvd.nist.gov/vuln/detail/CVE-2025-54880
Code Behaviors & Features
Detect and mitigate CVE-2025-54880 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →