VDB
CVE-2025-54880
CVE-2025-54880
PUBLISHED
CVSS 5.099999904632568 MEDIUM
Mermaid is a JavaScript based diagramming and charting tool that uses Markdown-inspired text definitions and a renderer to create and modify complex diagrams. In the default configuration of mermaid 11.9.0 and earlier, user supplied input for architecture diagram icons is passed to the d3 html() method, creating a sink for cross site scripting. This vulnerability is fixed in 11.10.0.
EPSS 0.02% · 3.2th percentile
Risk Scores
CVSS v4.0
5.099999904632568
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
EPSS Score
0.02%
3.2th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| mermaid_project | mermaid | 11.1.0 |
| npm | mermaid | 11.1.0 |
| mermaid-js | mermaid | >= 11.1.0, < 11.10.0 |
Timeline
- Jan 21, 1970 Security Advisory
- Aug 19, 2025 CVE Published
- Aug 19, 2025 PoC Published
- Aug 20, 2025 EPSS Score
- Aug 20, 2025 Coalition ESS Score
- Aug 26, 2025 Coalition ESS Score
- Aug 28, 2025 EPSS Score
- Sep 5, 2025 EPSS Score
- Sep 13, 2025 EPSS Score
- Sep 20, 2025 Coalition ESS Score
- Sep 21, 2025 EPSS Score
- Sep 27, 2025 Coalition ESS Score
References
- https://github.com/mermaid-js/mermaid/security/advisories/GHSA-8gwm-58g9-j8pw url
- https://github.com/mermaid-js/mermaid/commit/2aa83302795183ea5c65caec3da1edd6cb4791fc url
- https://github.com/mermaid-js/mermaid/commit/734bde38777c9190a5a72e96421c83424442d4e4 url
- https://nvd.nist.gov/vuln/detail/CVE-2025-54880 advisory
- https://github.com/mermaid-js/mermaid package