CVE-2025-54881: 
JavaScript vulnerability analysis and mitigation

CVE-2025-54881 is a critical security vulnerability affecting Mermaid.js versions 10.9.0-rc.1 through 11.9.0. The vulnerability was discovered in the sequence diagram label handling functionality, where improper sanitization of user input could lead to Cross-Site Scripting (XSS) attacks. The issue was identified and reported by @fourcube and was patched in version 11.10.0 (GitHub Advisory).

The vulnerability exists in the calculateMathMLDimensions method, which was introduced in commit 5c69e5f. The issue occurs when sequence diagram node labels with KaTeX delimiters are processed. The method passes unsanitized user input directly to innerHTML during element size calculation, creating an XSS sink. This vulnerability affects the default configuration of Mermaid when KaTeX support is enabled (GitHub Advisory).

The vulnerability allows malicious users to inject arbitrary HTML and execute cross-site scripting attacks on any website that uses Mermaid.js to render user-supplied diagrams without additional sanitization. This poses a significant security risk as it could lead to unauthorized access, data theft, or manipulation of web content (GitHub Advisory).

The vulnerability has been patched in Mermaid.js version 11.10.0. The fix involves implementing proper sanitization of the text argument in the calculateMathMLDimensions method before it is passed to innerHTML. Users are strongly advised to upgrade to the patched version to prevent potential XSS attacks (GitHub Advisory).