CVE-2025-54880: 
JavaScript vulnerability analysis and mitigation

CVE-2025-54880 affects Mermaid, a JavaScript-based diagramming and charting tool that uses Markdown-inspired text definitions. The vulnerability was discovered in versions 11.9.0 and earlier, where user-supplied input for architecture diagram icons is improperly handled, leading to potential cross-site scripting (XSS) attacks. The issue was disclosed on August 19, 2025, and has been patched in version 11.10.0 (NVD, GitHub Advisory).

The vulnerability stems from insufficient sanitization of architecture diagram service iconText values, which are directly passed to the d3 html() method. This creates a potential cross-site scripting sink in the default configuration. The issue was introduced with commit 734bde3 and affects versions from 11.1.0 to 11.9.0. The vulnerability has been assigned a CVSS v4.0 score of 5.1 (Medium) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N. The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (GitHub Advisory).

The vulnerability allows malicious users to inject arbitrary HTML and execute cross-site scripting attacks when Mermaid is used in its default configuration. This affects all sites that use Mermaid and render user-supplied diagrams without additional sanitization measures (GitHub Advisory).

The vulnerability has been fixed in Mermaid version 11.10.0 by implementing proper sanitization of the iconText value before passing it to the html() method. Users are strongly recommended to upgrade to this version or later. The fix was implemented through commits 2aa83302795183ea5c65caec3da1edd6cb4791fc and 734bde38777c9190a5a72e96421c83424442d4e4 (GitHub Advisory).