CVE-2025-54880

6.1 MEDIUM
Published: August 19, 2025 Modified: October 20, 2025
View on NVD

Description

Mermaid is a JavaScript based diagramming and charting tool that uses Markdown-inspired text definitions and a renderer to create and modify complex diagrams. In the default configuration of mermaid 11.9.0 and earlier, user supplied input for architecture diagram icons is passed to the d3 html() method, creating a sink for cross site scripting. This vulnerability is fixed in 11.10.0.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://github.com/mermaid-js/mermaid/commit/2aa83302795183ea5c65caec3da1edd6cb4791fc
Source: security-advisories@github.com
Patch
https://github.com/mermaid-js/mermaid/commit/734bde38777c9190a5a72e96421c83424442d4e4
Source: security-advisories@github.com
Product
https://github.com/mermaid-js/mermaid/security/advisories/GHSA-8gwm-58g9-j8pw
Source: security-advisories@github.com
Exploit Patch Vendor Advisory
https://github.com/mermaid-js/mermaid/security/advisories/GHSA-8gwm-58g9-j8pw
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Exploit Patch Vendor Advisory

4 reference(s) from NVD

Quick Stats

CVSS v3 Score
6.1 / 10.0
EPSS (Exploit Probability)
0.1%
17th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-79

Affected Vendors

mermaid_project

Related CVEs

CVE-2026-21652 N/A
CVE-2026-21651 N/A
CVE-2026-21650 N/A
CVE-2026-21649 N/A
CVE-2026-21648 N/A