Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-dmks-9n4b-vkh6
Vulnerability ID VCID-dmks-9n4b-vkh6
Aliases CVE-2025-54880
GHSA-8gwm-58g9-j8pw
Summary Mermaid does not properly sanitize architecture diagram iconText leading to XSS ### Summary In the default configuration of mermaid 11.9.0, user supplied input for architecture diagram icons is passed to the d3 `html()` method, creating a sink for cross site scripting. ### Details Architecture diagram service `iconText` values are passed to the d3 `html()` method, allowing malicious users to inject arbitrary HTML and cause XSS when mermaid-js is used in it's default configuration. The vulnerability lies here: ```ts export const drawServices = async function ( db: ArchitectureDB, elem: D3Element, services: ArchitectureService[] ): Promise<number> { for (const service of services) { /** ... **/ } else if (service.iconText) { bkgElem.html( `<g>${await getIconSVG('blank', { height: iconSize, width: iconSize, fallbackPrefix: architectureIcons.prefix })}</g>` ); const textElemContainer = bkgElem.append('g'); const fo = textElemContainer .append('foreignObject') .attr('width', iconSize) .attr('height', iconSize); const divElem = fo .append('div') .attr('class', 'node-icon-text') .attr('style', `height: ${iconSize}px;`) .append('div') .html(service.iconText); // <- iconText passed into innerHTML /** ... **/ }; }; ``` This issue was introduced with 734bde38777c9190a5a72e96421c83424442d4e4, around 15 months ago, which was released in [v11.1.0](https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.1.0). ### PoC Render the following diagram and observe the modified DOM. ``` architecture-beta group api(cloud)[API] service db "<img src=x onerror=\"document.write(`xss on ${document.domain}`)\">" [Database] in api ``` Here is a PoC on mermaid.live: https://mermaid.live/edit#pako:eNo9T8FOwzAM_ZXI4rBJpWrpRtuIISF24caZZdKyxOsiLUnlJjCo-u9kQ8wX-_n5-dkjKK8ROEhSRxNQhUh4v8cghWMpOvKxZ7I3M3XyUc83L-9v2z9qQPo0CpneMwFPxnZsILU6M--QyNNKCAHaq2jRhfyL0vLZ7jwMiWd3443Q3krjpt38Mv4sgG3WMsi9HHDLjLs4CwcZdGQ08EARM7BISZMgjJdLBIQjWhTAU6nxIOMpCBBuSrJeug_v7b8yPdMdgR_kaUgo9loGXBvZkbS3LqHTSK8-ugC8LMrrEuAjnIEvlnlVL9q6rZu6Lh-rRQbfwKuyyZuybcvqIaWiqKcMfq6uRd7Uy-kXhYFzcA ### Impact XSS on all sites that use mermaid and render user supplied diagrams without further sanitization. ### Remediation Sanitize the value of `iconText` before passing it to `html()`.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00013 https://api.first.org/data/v1/epss?cve=CVE-2025-54880
epss 8e-05 https://api.first.org/data/v1/epss?cve=CVE-2025-54880
epss 8e-05 https://api.first.org/data/v1/epss?cve=CVE-2025-54880
epss 8e-05 https://api.first.org/data/v1/epss?cve=CVE-2025-54880
epss 8e-05 https://api.first.org/data/v1/epss?cve=CVE-2025-54880
epss 8e-05 https://api.first.org/data/v1/epss?cve=CVE-2025-54880
epss 8e-05 https://api.first.org/data/v1/epss?cve=CVE-2025-54880
epss 8e-05 https://api.first.org/data/v1/epss?cve=CVE-2025-54880
epss 8e-05 https://api.first.org/data/v1/epss?cve=CVE-2025-54880
epss 9e-05 https://api.first.org/data/v1/epss?cve=CVE-2025-54880
epss 9e-05 https://api.first.org/data/v1/epss?cve=CVE-2025-54880
epss 9e-05 https://api.first.org/data/v1/epss?cve=CVE-2025-54880
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-8gwm-58g9-j8pw
cvssv4 5.1 https://github.com/mermaid-js/mermaid
generic_textual MODERATE https://github.com/mermaid-js/mermaid
cvssv4 5.1 https://github.com/mermaid-js/mermaid/commit/2aa83302795183ea5c65caec3da1edd6cb4791fc
generic_textual MODERATE https://github.com/mermaid-js/mermaid/commit/2aa83302795183ea5c65caec3da1edd6cb4791fc
ssvc Track https://github.com/mermaid-js/mermaid/commit/2aa83302795183ea5c65caec3da1edd6cb4791fc
cvssv4 5.1 https://github.com/mermaid-js/mermaid/commit/734bde38777c9190a5a72e96421c83424442d4e4
generic_textual MODERATE https://github.com/mermaid-js/mermaid/commit/734bde38777c9190a5a72e96421c83424442d4e4
ssvc Track https://github.com/mermaid-js/mermaid/commit/734bde38777c9190a5a72e96421c83424442d4e4
cvssv3.1_qr MODERATE https://github.com/mermaid-js/mermaid/security/advisories/GHSA-8gwm-58g9-j8pw
cvssv4 5.1 https://github.com/mermaid-js/mermaid/security/advisories/GHSA-8gwm-58g9-j8pw
generic_textual MODERATE https://github.com/mermaid-js/mermaid/security/advisories/GHSA-8gwm-58g9-j8pw
ssvc Track https://github.com/mermaid-js/mermaid/security/advisories/GHSA-8gwm-58g9-j8pw
cvssv4 5.1 https://nvd.nist.gov/vuln/detail/CVE-2025-54880
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2025-54880
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2025-54880
https://github.com/mermaid-js/mermaid
https://github.com/mermaid-js/mermaid/commit/2aa83302795183ea5c65caec3da1edd6cb4791fc
https://github.com/mermaid-js/mermaid/commit/734bde38777c9190a5a72e96421c83424442d4e4
https://github.com/mermaid-js/mermaid/security/advisories/GHSA-8gwm-58g9-j8pw
https://nvd.nist.gov/vuln/detail/CVE-2025-54880
GHSA-8gwm-58g9-j8pw https://github.com/advisories/GHSA-8gwm-58g9-j8pw
No exploits are available.
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N Found at https://github.com/mermaid-js/mermaid
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N Found at https://github.com/mermaid-js/mermaid/commit/2aa83302795183ea5c65caec3da1edd6cb4791fc
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-08-19T17:09:29Z/ Found at https://github.com/mermaid-js/mermaid/commit/2aa83302795183ea5c65caec3da1edd6cb4791fc
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N Found at https://github.com/mermaid-js/mermaid/commit/734bde38777c9190a5a72e96421c83424442d4e4
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-08-19T17:09:29Z/ Found at https://github.com/mermaid-js/mermaid/commit/734bde38777c9190a5a72e96421c83424442d4e4
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N Found at https://github.com/mermaid-js/mermaid/security/advisories/GHSA-8gwm-58g9-j8pw
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-08-19T17:09:29Z/ Found at https://github.com/mermaid-js/mermaid/security/advisories/GHSA-8gwm-58g9-j8pw
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N Found at https://nvd.nist.gov/vuln/detail/CVE-2025-54880
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.02318
EPSS Score 0.00013
Published At May 5, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T12:56:05.074317+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-8gwm-58g9-j8pw/GHSA-8gwm-58g9-j8pw.json 38.0.0