chore(deps): update dependency mermaid to v11.10.0 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
mermaid	11.4.1 -> 11.10.0

GitHub Vulnerability Alerts

GHSA-m4gq-x24j-jpmf

The following bundled files within the Mermaid NPM package contain a bundled version of DOMPurify that is vulnerable to GHSA-mmhx-hmjr-r674, potentially resulting in an XSS attack.

This affects the built:

• dist/mermaid.min.js
• dist/mermaid.js
• dist/mermaid.esm.mjs
• dist/mermaid.esm.min.mjs

This will also affect users that use the above files via a CDN link, e.g. https://cdn.jsdelivr.net/npm/mermaid@10.9.2/dist/mermaid.min.js

Users that use the default NPM export of mermaid, e.g. import mermaid from 'mermaid', or the dist/mermaid.core.mjs file, do not use this bundled version of DOMPurify, and can easily update using their package manager with something like npm audit fix.

Patches

• develop branch: 6c785c93166c151d27d328ddf68a13d9d65adc00
• backport to v10: 92a07ffe40aab2769dd1c3431b4eb5beac282b34

CVE-2025-54880

Summary

In the default configuration of mermaid 11.9.0, user supplied input for architecture diagram icons is passed to the d3 html() method, creating a sink for cross site scripting.

Details

Architecture diagram service iconText values are passed to the d3 html() method, allowing malicious users to inject arbitrary HTML and cause XSS when mermaid-js is used in it's default configuration.

The vulnerability lies here:

export const drawServices = async function (
  db: ArchitectureDB,
  elem: D3Element,
  services: ArchitectureService[]
): Promise<number> {
  for (const service of services) {
    /** ... **/
    } else if (service.iconText) {
      bkgElem.html(
        `<g>${await getIconSVG('blank', { height: iconSize, width: iconSize, fallbackPrefix: architectureIcons.prefix })}</g>`
      );
      const textElemContainer = bkgElem.append('g');
      const fo = textElemContainer
        .append('foreignObject')
        .attr('width', iconSize)
        .attr('height', iconSize);
      const divElem = fo
        .append('div')
        .attr('class', 'node-icon-text')
        .attr('style', `height: ${iconSize}px;`)
        .append('div')
        .html(service.iconText); // <- iconText passed into innerHTML
       /** ... **/
};
};

This issue was introduced with 734bde38777c9190a5a72e96421c83424442d4e4, around 15 months ago, which was released in v11.1.0.

PoC

Render the following diagram and observe the modified DOM.

architecture-beta
    group api(cloud)[API]
    service db "<img src=x onerror=\"document.write(`xss on ${document.domain}`)\">" [Database] in api

Here is a PoC on mermaid.live: https://mermaid.live/edit#pako:eNo9T8FOwzAM_ZXI4rBJpWrpRtuIISF24caZZdKyxOsiLUnlJjCo-u9kQ8wX-_n5-dkjKK8ROEhSRxNQhUh4v8cghWMpOvKxZ7I3M3XyUc83L-9v2z9qQPo0CpneMwFPxnZsILU6M--QyNNKCAHaq2jRhfyL0vLZ7jwMiWd3443Q3krjpt38Mv4sgG3WMsi9HHDLjLs4CwcZdGQ08EARM7BISZMgjJdLBIQjWhTAU6nxIOMpCBBuSrJeug_v7b8yPdMdgR_kaUgo9loGXBvZkbS3LqHTSK8-ugC8LMrrEuAjnIEvlnlVL9q6rZu6Lh-rRQbfwKuyyZuybcvqIaWiqKcMfq6uRd7Uy-kXhYFzcA

Impact

XSS on all sites that use mermaid and render user supplied diagrams without further sanitization.

Remediation

Sanitize the value of iconText before passing it to html().

CVE-2025-54881

Summary

In the default configuration of mermaid 11.9.0, user supplied input for sequence diagram labels is passed to innerHTML during calculation of element size, causing XSS.

Details

Sequence diagram node labels with KaTeX delimiters are passed through calculateMathMLDimensions. This method passes the full label to innerHTML which allows allows malicious users to inject arbitrary HTML and cause XSS when mermaid-js is used in it's default configuration (with KaTeX support enabled).

The vulnerability lies here:

export const calculateMathMLDimensions = async (text: string, config: MermaidConfig) => {
  text = await renderKatex(text, config);
  const divElem = document.createElement('div');
  divElem.innerHTML = text; // XSS sink, text has not been sanitized.
  divElem.id = 'katex-temp';
  divElem.style.visibility = 'hidden';
  divElem.style.position = 'absolute';
  divElem.style.top = '0';
  const body = document.querySelector('body');
  body?.insertAdjacentElement('beforeend', divElem);
  const dim = { width: divElem.clientWidth, height: divElem.clientHeight };
  divElem.remove();
  return dim;
};

The calculateMathMLDimensions method was introduced in 5c69e5fdb004a6d0a2abe97e23d26e223a059832 two years ago, which was released in Mermaid 10.9.0.

PoC

Render the following diagram and observe the modified DOM.

sequenceDiagram
    participant A as Alice<img src="x" onerror="document.write(`xss on ${document.domain}`)">$$\\text{Alice}$$
    A->>John: Hello John, how are you?
    Alice-)John: See you later!

Here is a PoC on mermaid.live: https://mermaid.live/edit#pako:eNpVUMtOwzAQ_BWzyoFKaRTyaFILiio4IK7ckA-1km1iKbaLY6spUf4dJ0AF68uOZ2dm7REqXSNQ6PHDoarwWfDGcMkUudaJGysqceLKkj3hPdl3osJ7IRvSm-qBwcCAaIXGaONRrSsnUdnobITF28PQ954lwXglai25UNNhxWAXBMyXxcGOi-3kL_5k79e73atuFSUv2HWazH1IWn0m3CC5aPf4b3p2WK--BW-4DJCOWzQ3TM0HQmiMqIFa4zAEicZv4iGMsw0D26JEBtS3NR656ywDpiYv869_11r-Ko12TQv0yLveI3eqfcjP111HUNVonrRTFuhdsVgAHWEAmuRxlG7SuEzKMi-yJAnhAjTLIk_EcbFJtuk2y9MphM8lM47KIp--AOZghtU

Impact

XSS on all sites that use mermaid and render user supplied diagrams without further sanitization.

Remediation

The value of the text argument for the calculateMathMLDimensions method needs to be sanitized before getting passed on to innerHTML.

---

Mermaid improperly sanitizes sequence diagram labels leading to XSS

CVE-2025-54881 / GHSA-7rqq-prvp-x9jh

More information

Details

Summary

In the default configuration of mermaid 11.9.0, user supplied input for sequence diagram labels is passed to innerHTML during calculation of element size, causing XSS.

Details

Sequence diagram node labels with KaTeX delimiters are passed through calculateMathMLDimensions. This method passes the full label to innerHTML which allows allows malicious users to inject arbitrary HTML and cause XSS when mermaid-js is used in it's default configuration (with KaTeX support enabled).

The vulnerability lies here:

export const calculateMathMLDimensions = async (text: string, config: MermaidConfig) => {
  text = await renderKatex(text, config);
  const divElem = document.createElement('div');
  divElem.innerHTML = text; // XSS sink, text has not been sanitized.
  divElem.id = 'katex-temp';
  divElem.style.visibility = 'hidden';
  divElem.style.position = 'absolute';
  divElem.style.top = '0';
  const body = document.querySelector('body');
  body?.insertAdjacentElement('beforeend', divElem);
  const dim = { width: divElem.clientWidth, height: divElem.clientHeight };
  divElem.remove();
  return dim;
};

The calculateMathMLDimensions method was introduced in 5c69e5fdb004a6d0a2abe97e23d26e223a059832 two years ago, which was released in Mermaid 10.9.0.

PoC

Render the following diagram and observe the modified DOM.

sequenceDiagram
    participant A as Alice<img src="x" onerror="document.write(`xss on ${document.domain}`)">$$\\text{Alice}$$
    A->>John: Hello John, how are you?
    Alice-)John: See you later!

Here is a PoC on mermaid.live: https://mermaid.live/edit#pako:eNpVUMtOwzAQ_BWzyoFKaRTyaFILiio4IK7ckA-1km1iKbaLY6spUf4dJ0AF68uOZ2dm7REqXSNQ6PHDoarwWfDGcMkUudaJGysqceLKkj3hPdl3osJ7IRvSm-qBwcCAaIXGaONRrSsnUdnobITF28PQ954lwXglai25UNNhxWAXBMyXxcGOi-3kL_5k79e73atuFSUv2HWazH1IWn0m3CC5aPf4b3p2WK--BW-4DJCOWzQ3TM0HQmiMqIFa4zAEicZv4iGMsw0D26JEBtS3NR656ywDpiYv869_11r-Ko12TQv0yLveI3eqfcjP111HUNVonrRTFuhdsVgAHWEAmuRxlG7SuEzKMi-yJAnhAjTLIk_EcbFJtuk2y9MphM8lM47KIp--AOZghtU

Impact

XSS on all sites that use mermaid and render user supplied diagrams without further sanitization.

Remediation

The value of the text argument for the calculateMathMLDimensions method needs to be sanitized before getting passed on to innerHTML.

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

References

• https://github.com/mermaid-js/mermaid/security/advisories/GHSA-7rqq-prvp-x9jh
• https://nvd.nist.gov/vuln/detail/CVE-2025-54881
• https://github.com/mermaid-js/mermaid/commit/5c69e5fdb004a6d0a2abe97e23d26e223a059832
• https://github.com/mermaid-js/mermaid/commit/685516a85ec1df64cefd4fd15f26533be87d458e
• https://github.com/mermaid-js/mermaid

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Mermaid does not properly sanitize architecture diagram iconText leading to XSS

CVE-2025-54880 / GHSA-8gwm-58g9-j8pw

More information

Details

Summary

In the default configuration of mermaid 11.9.0, user supplied input for architecture diagram icons is passed to the d3 html() method, creating a sink for cross site scripting.

Details

Architecture diagram service iconText values are passed to the d3 html() method, allowing malicious users to inject arbitrary HTML and cause XSS when mermaid-js is used in it's default configuration.

The vulnerability lies here:

export const drawServices = async function (
  db: ArchitectureDB,
  elem: D3Element,
  services: ArchitectureService[]
): Promise<number> {
  for (const service of services) {
    /** ... **/
    } else if (service.iconText) {
      bkgElem.html(
        `<g>${await getIconSVG('blank', { height: iconSize, width: iconSize, fallbackPrefix: architectureIcons.prefix })}</g>`
      );
      const textElemContainer = bkgElem.append('g');
      const fo = textElemContainer
        .append('foreignObject')
        .attr('width', iconSize)
        .attr('height', iconSize);
      const divElem = fo
        .append('div')
        .attr('class', 'node-icon-text')
        .attr('style', `height: ${iconSize}px;`)
        .append('div')
        .html(service.iconText); // <- iconText passed into innerHTML
       /** ... **/
};
};

This issue was introduced with 734bde38777c9190a5a72e96421c83424442d4e4, around 15 months ago, which was released in v11.1.0.

PoC

Render the following diagram and observe the modified DOM.

architecture-beta
    group api(cloud)[API]
    service db "<img src=x onerror=\"document.write(`xss on ${document.domain}`)\">" [Database] in api

Here is a PoC on mermaid.live: https://mermaid.live/edit#pako:eNo9T8FOwzAM_ZXI4rBJpWrpRtuIISF24caZZdKyxOsiLUnlJjCo-u9kQ8wX-_n5-dkjKK8ROEhSRxNQhUh4v8cghWMpOvKxZ7I3M3XyUc83L-9v2z9qQPo0CpneMwFPxnZsILU6M--QyNNKCAHaq2jRhfyL0vLZ7jwMiWd3443Q3krjpt38Mv4sgG3WMsi9HHDLjLs4CwcZdGQ08EARM7BISZMgjJdLBIQjWhTAU6nxIOMpCBBuSrJeug_v7b8yPdMdgR_kaUgo9loGXBvZkbS3LqHTSK8-ugC8LMrrEuAjnIEvlnlVL9q6rZu6Lh-rRQbfwKuyyZuybcvqIaWiqKcMfq6uRd7Uy-kXhYFzcA

Impact

XSS on all sites that use mermaid and render user supplied diagrams without further sanitization.

Remediation

Sanitize the value of iconText before passing it to html().

Severity

• CVSS Score: 5.1 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

References

• https://github.com/mermaid-js/mermaid/security/advisories/GHSA-8gwm-58g9-j8pw
• https://nvd.nist.gov/vuln/detail/CVE-2025-54880
• https://github.com/mermaid-js/mermaid/commit/2aa83302795183ea5c65caec3da1edd6cb4791fc
• https://github.com/mermaid-js/mermaid/commit/734bde38777c9190a5a72e96421c83424442d4e4
• https://github.com/mermaid-js/mermaid

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

mermaid-js/mermaid (mermaid)

v11.10.0

Compare Source

Minor Changes

• #​6744 daf8d8d Thanks @​SpecularAura! - feat: Added support for per link curve styling in flowchart diagram using edge ids

Patch Changes

• #​6857 b9ef683 Thanks @​knsv! - feat: Exposing elk configuration forceNodeModelOrder and considerModelOrder to the mermaid configuration

• #​6653 2c0931d Thanks @​darshanr0107! - chore: Remove the "-beta" suffix from the XYChart, Block, Sankey diagrams to reflect their stable status

• #​6683 33e08da Thanks @​darshanr0107! - fix: Position the edge label in state diagram correctly relative to the edge

• #​6693 814b68b Thanks @​darshanr0107! - fix: Apply correct dateFormat in Gantt chart to show only day when specified

• #​6734 fce7cab Thanks @​darshanr0107! - fix: handle exclude dates properly in Gantt charts when using dateFormat: 'YYYY-MM-DD HH:mm:ss'

• #​6733 fc07f0d Thanks @​omkarht! - fix: fixed connection gaps in flowchart for roundedRect, stadium and diamond shape

• #​6876 12e01bd Thanks @​sidharthv96! - fix: sanitize icon labels and icon SVGs

  Resolves CVE-2025-54880 reported by @​fourcube

• #​6801 01aaef3 Thanks @​sidharthv96! - fix: Update casing of ID in requirement diagram

• #​6796 c36cd05 Thanks @​HashanCP! - fix: Make flowchart elk detector regex match less greedy

• #​6702 8bb29fc Thanks @​qraqras! - fix(block): overflowing blocks no longer affect later lines

  This may change the layout of block diagrams that have overflowing lines
  (i.e. block diagrams that use up more columns that the columns specifier).

• #​6717 71b04f9 Thanks @​darshanr0107! - fix: log warning for blocks exceeding column width

  This update adds a validation check that logs a warning message when a block's width exceeds the defined column layout.

• #​6820 c99bce6 Thanks @​kriss-u! - fix: Add escaped class literal name on namespace

• #​6332 6cc1926 Thanks @​ajuckel! - fix: Allow equals sign in sequenceDiagram labels

• #​6651 9da6fb3 Thanks @​darshanr0107! - Add validation for negative values in pie charts:

  Prevents crashes during parsing by validating values post-parsing.

  Provides clearer, user-friendly error messages for invalid negative inputs.

• #​6803 e48b0ba Thanks @​omkarht! - chore: migrate to class-based ArchitectureDB implementation

• #​6838 4d62d59 Thanks @​saurabhg772244! - fix: node border style for handdrawn shapes

• #​6739 e9ce8cf Thanks @​kriss-u! - fix: Update flowchart direction TD's behavior to be the same as TB

• #​6833 9258b29 Thanks @​darshanr0107! - fix: correctly render non-directional lines for '---' in block diagrams

• #​6855 da90f67 Thanks @​sidharthv96! - fix: fallback to raw text instead of rendering Unsupported markdown or empty blocks

  Instead of printing Unsupported markdown: XXX, or empty blocks when using a markdown feature
  that Mermaid does not yet support when htmlLabels: true(default) or htmlLabels: false,
  fallback to the raw markdown text.

• #​6876 0133f1c Thanks @​sidharthv96! - fix: sanitize KATEX blocks

  Resolves CVE-2025-54881 reported by @​fourcube

• #​6804 895f9d4 Thanks @​omkarht! - chore: Update packet diagram to use new class-based database structure

v11.9.0

Compare Source

Minor Changes

• #​6453 5acbd7e Thanks @​sidharthv96! - feat: Add getRegisteredDiagramsMetadata to mermaid, which returns all the registered diagram IDs in mermaid

Patch Changes

• #​6738 d90634b Thanks @​shubham-mermaid! - chore: Updated TreeMapDB to use class based approach

• #​6510 7a38eb7 Thanks @​sidharthv96! - chore: Move packet diagram out of beta

• #​6747 3e3ae08 Thanks @​darshanr0107! - fix: adjust sequence diagram title positioning to prevent overlap with top border in Safari

• #​6751 d3e2be3 Thanks @​darshanr0107! - chore: Update MindmapDB to use class based approach

• #​6715 637680d Thanks @​Syn3ugar! - fix(timeline): fix loading leftMargin from config

  The timeline.leftMargin config value should now correctly control the size of the left margin, instead of being ignored.

• Updated dependencies [7a38eb7]:

  • @​mermaid-js/parser@​0.6.2

v11.8.1

Compare Source

Patch Changes

• Updated dependencies [0da2922]:
  • @​mermaid-js/parser@​0.6.1

v11.8.0

Compare Source

Minor Changes

• #​6590 f338802 Thanks @​knsv! - Adding support for the new diagram type nested treemap

Patch Changes

• #​6707 592c5bb Thanks @​darshanr0107! - fix: Log a warning when duplicate commit IDs are encountered in gitGraph to help identify and debug rendering issues caused by non-unique IDs.

• Updated dependencies [f338802]:

  • @​mermaid-js/parser@​0.6.0

v11.7.0

Compare Source

Minor Changes

• #​6479 97b79c3 Thanks @​monicanguyen25! - feat: Add Vertical Line To Gantt Plot At Specified Time

• #​6225 41e84b7 Thanks @​Shahir-47! - feat: Add support for styling Journey Diagram title (color, font-family, and font-size)

• #​6423 aa6cb86 Thanks @​BambioGaming! - Added support for the click directive in stateDiagram syntax

• #​5980 df9df9d Thanks @​BryanCrotazGivEnergy! - feat: Add shorter +<count>: Label syntax in packet diagram

• #​6523 c17277e Thanks @​NourBenz! - fix: allow sequence diagram arrows with a trailing colon but no message

• #​6475 a1ba65c Thanks @​Shahir-47! - feat: Dynamically Render Data Labels Within Bar Charts

Patch Changes

• #​6588 b1cf291 Thanks @​omkarht! - Fix stroke styles for ER diagram to correctly apply path and row-specific styles

• #​6296 a4754ad Thanks @​sidharthv96! - chore: Convert StateDB into TypeScript

• #​6463 2b05d7e Thanks @​AaronMoat! - fix: Remove incorrect style="undefined;" attributes in some Mermaid diagrams

• #​6282 d63d3bf Thanks @​saurabhg772244! - FontAwesome icons can now be embedded as SVGs in flowcharts if they are registered via mermaid.registerIconPacks.

• #​6407 cdbd3e5 Thanks @​thomascizeron! - Refactor grammar so that title don't break Architecture Diagrams

• #​6343 1ddaf10 Thanks @​jeswr! - fix: allow colons in events

• #​6616 ca80f71 Thanks @​ashishjain0512! - fix(timeline): ensure consistent vertical line lengths with visible arrowheads

  Fixed timeline diagrams where vertical dashed lines from tasks had inconsistent lengths. All vertical lines now extend to the same depth regardless of the number of events in each column, with sufficient padding to clearly display both the dashed line pattern and complete arrowheads.

• #​6566 bca6ed6 Thanks @​arpitjain099! - fix: Fix incomplete string escaping in URL manipulation logic when arrowMarkerAbsolute: true by ensuring all unsafe characters are escaped.

• Updated dependencies [df9df9d, cdbd3e5]:

  • @​mermaid-js/parser@​0.5.0

v11.6.0

Compare Source

Minor Changes

• #​6408 ad65313 Thanks @​ashishjain0512! - fix: restore curve type configuration functionality for flowcharts. This fixes the issue where curve type settings were not being applied when configured through any of the following methods:

  • Config
  • Init directive (%%{ init: { 'flowchart': { 'curve': '...' } } }%%)
  • LinkStyle command (linkStyle default interpolate ...)

• #​6381 95d73bc Thanks @​thomascizeron! - Add Radar Chart

Patch Changes

• #​2 16d9b63 Thanks @​calvinvette! - - #​6388
  Thanks @​bollwyvl - Fix requirement diagram containment arrow
• Updated dependencies [95d73bc]:
  • @​mermaid-js/parser@​0.4.0

v11.5.0

Compare Source

Minor Changes

• #​6187 7809b5a Thanks @​ashishjain0512! - Flowchart new syntax for node metadata bugs

  • Incorrect label mapping for nodes when using &
  • Syntax error when } with trailing spaces before new line

• #​6136 ec0d9c3 Thanks @​knsv! - Adding support for animation of flowchart edges

• #​6373 05bdf0e Thanks @​ashishjain0512! - Upgrade Requirement and ER diagram to use the common renderer flow

  • Added support for directions
  • Added support for hand drawn look

• #​6371 4d25cab Thanks @​knsv! - The arrowhead color should match the color of the edge. Creates a unique clone of the arrow marker with the appropriate color.

Patch Changes

• #​6064 2a91849 Thanks @​NicolasNewman! - fix: architecture diagrams no longer grow to extreme heights due to conflicting alignments

• #​6198 963efa6 Thanks @​ferozmht! - Fixes for consistent edge id creation & handling edge cases for animate edge feature

• #​6196 127bac1 Thanks @​knsv! - Fix for issue #​6195 - allowing @​ signs inside node labels

• #​6212 90bbf90 Thanks @​saurabhg772244! - fix: mermaidAPI.getDiagramFromText() now returns a new different db for each class diagram

• #​6218 232e60c Thanks @​saurabhg772244! - fix: revert state db to resolve getData returning empty nodes and edges

• #​6250 9cad3c7 Thanks @​saurabhg772244! - mermaidAPI.getDiagramFromText() now returns a new db instance on each call for state diagrams

• #​6293 cfd84e5 Thanks @​saurabhg772244! - Added versioning to StateDB and updated tests and diagrams to use it.

• #​6161 6cc31b7 Thanks @​saurabhg772244! - fix: mermaidAPI.getDiagramFromText() now returns a new different db for each flowchart

• #​6272 ffa7804 Thanks @​saurabhg772244! - fix: mermaidAPI.getDiagramFromText() now returns a new different db for each sequence diagram. Added unique IDs for messages.

• #​6205 32a68d4 Thanks @​saurabhg772244! - fix: Gantt, Sankey and User Journey diagram are now able to pick font-family from mermaid config.

• #​6295 da6361f Thanks @​omkarht! - fix: getDirection and setDirection in stateDb refactored to return and set actual direction

• #​6185 3e32332 Thanks @​saurabhg772244! - mermaidAPI.getDiagramFromText() now returns a new different db for each state diagram

---

Configuration

📅 Schedule: Branch creation - "" in timezone America/New_York, Automerge - Monday through Friday ( * * * * 1-5 ) in timezone America/New_York.

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[kongponents-bot]

🎉 This PR is included in version 1.7.35 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀