CVE-2025-54881: 
JavaScript vulnerability analysis and mitigation

Mermaid, a JavaScript based diagramming and charting tool that uses Markdown-inspired text definitions and a renderer to create and modify complex diagrams, was found to have a critical security vulnerability in versions 10.9.0-rc.1 to 11.9.0. The vulnerability (CVE-2025-54881) was discovered on August 19, 2025, affecting the default configuration where user-supplied input for sequence diagram labels is passed to innerHTML during calculation of element size, leading to potential Cross-site Scripting (XSS) attacks (GitHub Advisory).

The vulnerability exists in the calculateMathMLDimensions method, which was introduced in commit 5c69e5f. The issue occurs when sequence diagram node labels with KaTeX delimiters are processed. The method passes the full label to innerHTML without proper sanitization, allowing malicious users to inject arbitrary HTML when mermaid-js is used in its default configuration with KaTeX support enabled. The vulnerability has been assigned a CVSS v4.0 score of 5.3 MEDIUM with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N (NVD).

The vulnerability enables XSS attacks on all sites that use Mermaid and render user-supplied diagrams without additional sanitization. This could allow attackers to inject and execute malicious JavaScript code in the context of other users' browsers who view the affected diagrams (GitHub Advisory).

The vulnerability has been patched in versions 10.9.4 and 11.10.0. The fix involves implementing proper sanitization of the text argument in the calculateMathMLDimensions method before it is passed to innerHTML. Users are strongly advised to upgrade to these patched versions to prevent potential XSS attacks (GitHub Advisory).