VDB
CVE-2025-54881
CVE-2025-54881
PUBLISHED
CVSS 5.300000190734863 MEDIUM
Mermaid improperly sanitizes sequence diagram labels leading to XSS
EPSS 0.03% · 8.0th percentile
Risk Scores
CVSS v4.0
5.300000190734863
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
EPSS Score
0.03%
8.0th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| mermaid-js | mermaid | >= 10.9.0-rc.1, <= 11.9.0 |
| npm | mermaid | 11.0.0-alpha.1, 10.9.0-rc.1 |
Timeline
- Jan 21, 1970 Security Advisory
- Aug 19, 2025 CVE Published
- Aug 19, 2025 PoC Published
- Aug 20, 2025 EPSS Score
- Aug 20, 2025 Coalition ESS Score
- Aug 26, 2025 Coalition ESS Score
- Aug 28, 2025 EPSS Score
- Sep 5, 2025 EPSS Score
- Sep 13, 2025 EPSS Score
- Sep 21, 2025 EPSS Score
- Sep 29, 2025 EPSS Score
- Oct 4, 2025 Coalition ESS Score
References
- https://github.com/mermaid-js/mermaid/security/advisories/GHSA-7rqq-prvp-x9jh url
- https://github.com/mermaid-js/mermaid/commit/5c69e5fdb004a6d0a2abe97e23d26e223a059832 url
- https://github.com/mermaid-js/mermaid/commit/685516a85ec1df64cefd4fd15f26533be87d458e url
- https://nvd.nist.gov/vuln/detail/CVE-2025-54881 advisory
- https://github.com/mermaid-js/mermaid package