CVE-2025-54880
Last modified
CVE-2025-54880 is a medium-severity vulnerability rated 5.1/10 on the CVSS scale. Mermaid is a JavaScript based diagramming and charting tool that uses Markdown-inspired text definitions and a renderer to create and modify complex diagrams. In the default configuration of mermaid 11.9.0 and earlier, user supplied input for architecture diagram icons is passed to the d3 html() method, creating a sink for cross site scripting. EPSS estimates a 0.34% chance of exploitation in the next 30 days.
Description
Mermaid is a JavaScript based diagramming and charting tool that uses Markdown-inspired text definitions and a renderer to create and modify complex diagrams. In the default configuration of mermaid 11.9.0 and earlier, user supplied input for architecture diagram icons is passed to the d3 html() method, creating a sink for cross site scripting. This vulnerability is fixed in 11.10.0.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Mermaid Project | Mermaid | >= 11.1.0, < 11.10.0 |
References
- https://github.com/mermaid-js/mermaid/security/advisories/GHSA-8gwm-58g9-j8pwExploit, Patch, Vendor Advisory
- https://github.com/mermaid-js/mermaid/security/advisories/GHSA-8gwm-58g9-j8pwExploit, Patch, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2025-54880?
How severe is CVE-2025-54880?
How do I fix CVE-2025-54880?
Are you affected by CVE-2025-54880?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST