XSS in Mermaid-js Mermaid
CVE-2025-54880
Mermaid is a JavaScript based diagramming and charting tool that uses Markdown-inspired text definitions and a renderer to create and modify complex diagrams. In the default configuration of mermaid 11.9.0 and earlier, user supplied input…
Vulnerability class: XSS (Cross-Site Scripting)
EPSS: 0.000 (3.1th percentile) — read the EPSS interpretation.
Affected products
- Mermaid-js Mermaid — versions >= 11.1.0, < 11.10.0
Weakness classification (CWE)
Public proof-of-concept exploits
References
- https://github.com/mermaid-js/mermaid/security/advisories/GHSA-8gwm-58g9-j8pw (x_refsource_CONFIRM)
- https://github.com/mermaid-js/mermaid/commit/2aa83302795183ea5c65caec3da1edd6cb4791fc (x_refsource_MISC)
- https://github.com/mermaid-js/mermaid/commit/734bde38777c9190a5a72e96421c83424442d4e4 (x_refsource_MISC)
Frequently asked questions
- What is CVE-2025-54880?
- CVE-2025-54880 is a vulnerability in Mermaid-js Mermaid, classified under Cross-site Scripting. Published 2025-08-19.
- Is CVE-2025-54880 known to be exploited?
- 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.