Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:npm/mermaid@10.9.4
Typenpm
Namespace
Namemermaid
Version10.9.4
Qualifiers
Subpath
Is_vulnerablefalse
Next_non_vulnerable_version11.10.0
Latest_non_vulnerable_version11.10.0
Affected_by_vulnerabilities
Fixing_vulnerabilities
0
url VCID-q79q-8yzx-p3f6
vulnerability_id VCID-q79q-8yzx-p3f6
summary 
Mermaid improperly sanitizes sequence diagram labels leading to XSS
### Summary
In the default configuration of mermaid 11.9.0, user supplied input for sequence diagram labels is passed to `innerHTML` during calculation of element size, causing XSS.

### Details
Sequence diagram node labels with KaTeX delimiters are passed through `calculateMathMLDimensions`. This method passes the full label to `innerHTML` which allows allows malicious users to inject arbitrary HTML and cause XSS when mermaid-js is used in it's default configuration (with KaTeX support enabled). 

The vulnerability lies here:

```ts
export const calculateMathMLDimensions = async (text: string, config: MermaidConfig) => {
  text = await renderKatex(text, config);
  const divElem = document.createElement('div');
  divElem.innerHTML = text; // XSS sink, text has not been sanitized.
  divElem.id = 'katex-temp';
  divElem.style.visibility = 'hidden';
  divElem.style.position = 'absolute';
  divElem.style.top = '0';
  const body = document.querySelector('body');
  body?.insertAdjacentElement('beforeend', divElem);
  const dim = { width: divElem.clientWidth, height: divElem.clientHeight };
  divElem.remove();
  return dim;
};
```

The `calculateMathMLDimensions` method was introduced in 5c69e5fdb004a6d0a2abe97e23d26e223a059832 two years ago, which was released in [Mermaid 10.9.0](https://github.com/mermaid-js/mermaid/releases/tag/v10.9.0).

### PoC
Render the following diagram and observe the modified DOM.

```
sequenceDiagram
    participant A as Alice<img src="x" onerror="document.write(`xss on ${document.domain}`)">$$\\text{Alice}$$
    A->>John: Hello John, how are you?
    Alice-)John: See you later!
```

Here is a PoC on mermaid.live: https://mermaid.live/edit#pako:eNpVUMtOwzAQ_BWzyoFKaRTyaFILiio4IK7ckA-1km1iKbaLY6spUf4dJ0AF68uOZ2dm7REqXSNQ6PHDoarwWfDGcMkUudaJGysqceLKkj3hPdl3osJ7IRvSm-qBwcCAaIXGaONRrSsnUdnobITF28PQ954lwXglai25UNNhxWAXBMyXxcGOi-3kL_5k79e73atuFSUv2HWazH1IWn0m3CC5aPf4b3p2WK--BW-4DJCOWzQ3TM0HQmiMqIFa4zAEicZv4iGMsw0D26JEBtS3NR656ywDpiYv869_11r-Ko12TQv0yLveI3eqfcjP111HUNVonrRTFuhdsVgAHWEAmuRxlG7SuEzKMi-yJAnhAjTLIk_EcbFJtuk2y9MphM8lM47KIp--AOZghtU

### Impact
XSS on all sites that use mermaid and render user supplied diagrams without further sanitization.

### Remediation
The value of the `text` argument for the `calculateMathMLDimensions` method needs to be sanitized before getting passed on to `innerHTML`.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-54881
reference_id
reference_type
scores
0
value 0.00015
scoring_system epss
scoring_elements 0.03408
published_at 2026-04-09T12:55:00Z
1
value 0.00015
scoring_system epss
scoring_elements 0.03301
published_at 2026-04-18T12:55:00Z
2
value 0.00015
scoring_system epss
scoring_elements 0.03355
published_at 2026-04-02T12:55:00Z
3
value 0.00015
scoring_system epss
scoring_elements 0.03291
published_at 2026-04-16T12:55:00Z
4
value 0.00015
scoring_system epss
scoring_elements 0.03314
published_at 2026-04-13T12:55:00Z
5
value 0.00015
scoring_system epss
scoring_elements 0.03367
published_at 2026-04-04T12:55:00Z
6
value 0.00015
scoring_system epss
scoring_elements 0.03337
published_at 2026-04-12T12:55:00Z
7
value 0.00015
scoring_system epss
scoring_elements 0.03382
published_at 2026-04-07T12:55:00Z
8
value 0.00015
scoring_system epss
scoring_elements 0.03387
published_at 2026-04-08T12:55:00Z
9
value 0.00015
scoring_system epss
scoring_elements 0.03366
published_at 2026-04-11T12:55:00Z
10
value 0.00015
scoring_system epss
scoring_elements 0.03418
published_at 2026-04-21T12:55:00Z
11
value 0.00017
scoring_system epss
scoring_elements 0.0407
published_at 2026-04-24T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-54881
1
reference_url https://github.com/mermaid-js/mermaid
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/mermaid-js/mermaid
2
reference_url https://github.com/mermaid-js/mermaid/commit/5c69e5fdb004a6d0a2abe97e23d26e223a059832
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-08-19T18:10:57Z/
url https://github.com/mermaid-js/mermaid/commit/5c69e5fdb004a6d0a2abe97e23d26e223a059832
3
reference_url https://github.com/mermaid-js/mermaid/commit/685516a85ec1df64cefd4fd15f26533be87d458e
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-08-19T18:10:57Z/
url https://github.com/mermaid-js/mermaid/commit/685516a85ec1df64cefd4fd15f26533be87d458e
4
reference_url https://github.com/mermaid-js/mermaid/security/advisories/GHSA-7rqq-prvp-x9jh
reference_id
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-08-19T18:10:57Z/
url https://github.com/mermaid-js/mermaid/security/advisories/GHSA-7rqq-prvp-x9jh
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-54881
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-54881
6
reference_url https://github.com/advisories/GHSA-7rqq-prvp-x9jh
reference_id GHSA-7rqq-prvp-x9jh
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-7rqq-prvp-x9jh
fixed_packages
0
url pkg:npm/mermaid@10.9.4
purl pkg:npm/mermaid@10.9.4
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/mermaid@10.9.4
1
url pkg:npm/mermaid@11.10.0
purl pkg:npm/mermaid@11.10.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/mermaid@11.10.0
aliases CVE-2025-54881, GHSA-7rqq-prvp-x9jh
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-q79q-8yzx-p3f6
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:npm/mermaid@10.9.4