Skip to content

Improper sanitization of sequence diagram labels leads to XSS

Critical
sidharthv96 published GHSA-7rqq-prvp-x9jh Aug 19, 2025

Package

npm mermaid (npm)

Affected versions

>= 11.0.0-alpha.1, < 11.10.0
>= 10.9.0-rc.1, < 10.9.4

Patched versions

11.10.0
10.9.4

Description

Summary

In the default configuration of mermaid 11.9.0, user supplied input for sequence diagram labels is passed to innerHTML during calculation of element size, causing XSS.

Details

Sequence diagram node labels with KaTeX delimiters are passed through calculateMathMLDimensions. This method passes the full label to innerHTML which allows allows malicious users to inject arbitrary HTML and cause XSS when mermaid-js is used in it's default configuration (with KaTeX support enabled).

The vulnerability lies here:

export const calculateMathMLDimensions = async (text: string, config: MermaidConfig) => {
  text = await renderKatex(text, config);
  const divElem = document.createElement('div');
  divElem.innerHTML = text; // XSS sink, text has not been sanitized.
  divElem.id = 'katex-temp';
  divElem.style.visibility = 'hidden';
  divElem.style.position = 'absolute';
  divElem.style.top = '0';
  const body = document.querySelector('body');
  body?.insertAdjacentElement('beforeend', divElem);
  const dim = { width: divElem.clientWidth, height: divElem.clientHeight };
  divElem.remove();
  return dim;
};

The calculateMathMLDimensions method was introduced in 5c69e5f two years ago, which was released in Mermaid 10.9.0.

PoC

Render the following diagram and observe the modified DOM.

sequenceDiagram
    participant A as Alice<img src="x" onerror="document.write(`xss on ${document.domain}`)">$$\\text{Alice}$$
    A->>John: Hello John, how are you?
    Alice-)John: See you later!

Here is a PoC on mermaid.live: https://mermaid.live/edit#pako:eNpVUMtOwzAQ_BWzyoFKaRTyaFILiio4IK7ckA-1km1iKbaLY6spUf4dJ0AF68uOZ2dm7REqXSNQ6PHDoarwWfDGcMkUudaJGysqceLKkj3hPdl3osJ7IRvSm-qBwcCAaIXGaONRrSsnUdnobITF28PQ954lwXglai25UNNhxWAXBMyXxcGOi-3kL_5k79e73atuFSUv2HWazH1IWn0m3CC5aPf4b3p2WK--BW-4DJCOWzQ3TM0HQmiMqIFa4zAEicZv4iGMsw0D26JEBtS3NR656ywDpiYv869_11r-Ko12TQv0yLveI3eqfcjP111HUNVonrRTFuhdsVgAHWEAmuRxlG7SuEzKMi-yJAnhAjTLIk_EcbFJtuk2y9MphM8lM47KIp--AOZghtU

Impact

XSS on all sites that use mermaid and render user supplied diagrams without further sanitization.

Remediation

The value of the text argument for the calculateMathMLDimensions method needs to be sanitized before getting passed on to innerHTML.

Severity

Critical

CVE ID

CVE-2025-54881

Weaknesses

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. Learn more on MITRE.

Credits