6.1 CVE-2025-54880
Patch Exploit
Mermaid is a JavaScript based diagramming and charting tool that uses Markdown-inspired text definitions and a renderer to create and modify complex diagrams. In the default configuration of mermaid 11.9.0 and earlier, user supplied input for architecture diagram icons is passed to the d3 html() method, creating a sink for cross site scripting. This vulnerability is fixed in 11.10.0.
https://nvd.nist.gov/vuln/detail/CVE-2025-54880
Categories
CWE-79
References
134c704f-9b21-4f2e-91b3-4a467353bcc0 Patch Exploit
| https://github.com/mermaid-js/mermaid/security/advisories/GHSA-8gwm-58g9-j8pw Exploit Patch Vendor Advisory |
security-advisories@github.com Patch Exploit
CPE
| cpe | start | end |
|---|---|---|
| Configuration 1 | ||
| cpe:2.3:a:mermaid_project:mermaid:*:*:*:*:*:node.js:*:* | >= 11.1.0 | < 11.10.0 |
REMEDIATION
Patch
EXPLOITS
Exploit-db.com
| id | description | date | |
|---|---|---|---|
| No known exploits | |||
POC Github
| Url |
|---|
Other Nist (github, ...)
| Url |
|---|
| https://github.com/mermaid-js/mermaid/security/advisories/GHSA-8gwm-58g9-j8pw |
| https://github.com/mermaid-js/mermaid/security/advisories/GHSA-8gwm-58g9-j8pw |
CAPEC
Common Attack Pattern Enumerations and Classifications
| id | description | severity |
|---|---|---|
| No entry | ||
Cybersecurity needs ?
Strengthen software security from the outset with our DevSecOps expertise
Integrate security right from the start of the software development cycle for more robust applications and greater customer confidence.
Our team of DevSecOps experts can help you secure your APIs, data pipelines, CI/CD chains, Docker containers and Kubernetes deployments.
