Skip to content

chore(deps): update dependency mermaid to v11.10.0 [security] #3610

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore(deps): update dependency mermaid to v11.10.0 [security] #3610

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Aug 20, 2025
edited
Loading

Note

Mend has cancelled the proposed renaming of the Renovate GitHub app being renamed to mend[bot].

This notice will be removed on 2025-10-07.

This PR contains the following updates:

Package Change Age Confidence
mermaid 11.8.1 -> 11.10.0 age confidence

GitHub Vulnerability Alerts

CVE-2025-54880

Summary

In the default configuration of mermaid 11.9.0, user supplied input for architecture diagram icons is passed to the d3 html() method, creating a sink for cross site scripting.

Details

Architecture diagram service iconText values are passed to the d3 html() method, allowing malicious users to inject arbitrary HTML and cause XSS when mermaid-js is used in it's default configuration.

The vulnerability lies here:

export const drawServices = async function (
  db: ArchitectureDB,
  elem: D3Element,
  services: ArchitectureService[]
): Promise<number> {
  for (const service of services) {
    /** ... **/
    } else if (service.iconText) {
      bkgElem.html(
        `<g>${await getIconSVG('blank', { height: iconSize, width: iconSize, fallbackPrefix: architectureIcons.prefix })}</g>`
      );
      const textElemContainer = bkgElem.append('g');
      const fo = textElemContainer
        .append('foreignObject')
        .attr('width', iconSize)
        .attr('height', iconSize);
      const divElem = fo
        .append('div')
        .attr('class', 'node-icon-text')
        .attr('style', `height: ${iconSize}px;`)
        .append('div')
        .html(service.iconText); // <- iconText passed into innerHTML
       /** ... **/
};
};

This issue was introduced with 734bde38777c9190a5a72e96421c83424442d4e4, around 15 months ago, which was released in v11.1.0.

PoC

Render the following diagram and observe the modified DOM.

architecture-beta
    group api(cloud)[API]
    service db "<img src=x onerror=\"document.write(`xss on ${document.domain}`)\">" [Database] in api

Here is a PoC on mermaid.live: https://mermaid.live/edit#pako:eNo9T8FOwzAM_ZXI4rBJpWrpRtuIISF24caZZdKyxOsiLUnlJjCo-u9kQ8wX-_n5-dkjKK8ROEhSRxNQhUh4v8cghWMpOvKxZ7I3M3XyUc83L-9v2z9qQPo0CpneMwFPxnZsILU6M--QyNNKCAHaq2jRhfyL0vLZ7jwMiWd3443Q3krjpt38Mv4sgG3WMsi9HHDLjLs4CwcZdGQ08EARM7BISZMgjJdLBIQjWhTAU6nxIOMpCBBuSrJeug_v7b8yPdMdgR_kaUgo9loGXBvZkbS3LqHTSK8-ugC8LMrrEuAjnIEvlnlVL9q6rZu6Lh-rRQbfwKuyyZuybcvqIaWiqKcMfq6uRd7Uy-kXhYFzcA

Impact

XSS on all sites that use mermaid and render user supplied diagrams without further sanitization.

Remediation

Sanitize the value of iconText before passing it to html().

CVE-2025-54881

Summary

In the default configuration of mermaid 11.9.0, user supplied input for sequence diagram labels is passed to innerHTML during calculation of element size, causing XSS.

Details

Sequence diagram node labels with KaTeX delimiters are passed through calculateMathMLDimensions. This method passes the full label to innerHTML which allows allows malicious users to inject arbitrary HTML and cause XSS when mermaid-js is used in it's default configuration (with KaTeX support enabled).

The vulnerability lies here:

export const calculateMathMLDimensions = async (text: string, config: MermaidConfig) => {
  text = await renderKatex(text, config);
  const divElem = document.createElement('div');
  divElem.innerHTML = text; // XSS sink, text has not been sanitized.
  divElem.id = 'katex-temp';
  divElem.style.visibility = 'hidden';
  divElem.style.position = 'absolute';
  divElem.style.top = '0';
  const body = document.querySelector('body');
  body?.insertAdjacentElement('beforeend', divElem);
  const dim = { width: divElem.clientWidth, height: divElem.clientHeight };
  divElem.remove();
  return dim;
};

The calculateMathMLDimensions method was introduced in 5c69e5fdb004a6d0a2abe97e23d26e223a059832 two years ago, which was released in Mermaid 10.9.0.

PoC

Render the following diagram and observe the modified DOM.

sequenceDiagram
    participant A as Alice<img src="x" onerror="document.write(`xss on ${document.domain}`)">$$\\text{Alice}$$
    A->>John: Hello John, how are you?
    Alice-)John: See you later!

Here is a PoC on mermaid.live: https://mermaid.live/edit#pako:eNpVUMtOwzAQ_BWzyoFKaRTyaFILiio4IK7ckA-1km1iKbaLY6spUf4dJ0AF68uOZ2dm7REqXSNQ6PHDoarwWfDGcMkUudaJGysqceLKkj3hPdl3osJ7IRvSm-qBwcCAaIXGaONRrSsnUdnobITF28PQ954lwXglai25UNNhxWAXBMyXxcGOi-3kL_5k79e73atuFSUv2HWazH1IWn0m3CC5aPf4b3p2WK--BW-4DJCOWzQ3TM0HQmiMqIFa4zAEicZv4iGMsw0D26JEBtS3NR656ywDpiYv869_11r-Ko12TQv0yLveI3eqfcjP111HUNVonrRTFuhdsVgAHWEAmuRxlG7SuEzKMi-yJAnhAjTLIk_EcbFJtuk2y9MphM8lM47KIp--AOZghtU

Impact

XSS on all sites that use mermaid and render user supplied diagrams without further sanitization.

Remediation

The value of the text argument for the calculateMathMLDimensions method needs to be sanitized before getting passed on to innerHTML.

Release Notes

mermaid-js/mermaid (mermaid)

v11.10.0

Compare Source

Minor Changes
Patch Changes

v11.9.0

Compare Source

Minor Changes
  • #​6453 5acbd7e Thanks @​sidharthv96! - feat: Add getRegisteredDiagramsMetadata to mermaid, which returns all the registered diagram IDs in mermaid
Patch Changes

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the dependencies Pull requests that update a dependency label Aug 20, 2025
@netlify Netlify
Copy link

netlify bot commented Aug 20, 2025
edited
Loading

Deploy Preview for brilliant-pasca-3e80ec canceled.

Name Link
🔨 Latest commit a1f89fd
🔍 Latest deploy log https://app.netlify.com/projects/brilliant-pasca-3e80ec/deploys/68d566abb2e3a60008fa427c

@github-actions GitHub Actions
Copy link

github-actions bot commented Aug 20, 2025
edited
Loading

🚀 Performance Test Results

Test Configuration:

  • VUs: 4
  • Duration: 1m0s

Test Metrics:

  • Requests/s: 38.56
  • Iterations/s: 12.86
  • Failed Requests: 0.00% (0 of 2318)
📜 Logs 

> performance@1.0.0 run-tests:testenv /home/runner/work/rafiki/rafiki/test/performance
> ./scripts/run-tests.sh -e test "-k" "-q" "--vus" "4" "--duration" "1m"

Cloud Nine GraphQL API is up: http://localhost:3101/graphql
Cloud Nine Wallet Address is up: http://localhost:3100/
Happy Life Bank Address is up: http://localhost:4100/
cloud-nine-wallet-test-backend already set
cloud-nine-wallet-test-auth already set
happy-life-bank-test-backend already set
happy-life-bank-test-auth already set
     data_received..................: 837 kB 14 kB/s
     data_sent......................: 1.8 MB 30 kB/s
     http_req_blocked...............: avg=7.41µs   min=2.36µs   med=5.56µs   max=876.63µs p(90)=6.68µs   p(95)=7.45µs  
     http_req_connecting............: avg=954ns    min=0s       med=0s       max=815.91µs p(90)=0s       p(95)=0s      
     http_req_duration..............: avg=103.03ms min=7.76ms   med=83.77ms  max=907.16ms p(90)=175.9ms  p(95)=202ms   
       { expected_response:true }...: avg=103.03ms min=7.76ms   med=83.77ms  max=907.16ms p(90)=175.9ms  p(95)=202ms   
     http_req_failed................: 0.00%  ✓ 0         ✗ 2318
     http_req_receiving.............: avg=97.65µs  min=21.89µs  med=84.44µs  max=1.68ms   p(90)=125.28µs p(95)=154.29µs
     http_req_sending...............: avg=38.22µs  min=10.04µs  med=30.06µs  max=2.01ms   p(90)=43.17µs  p(95)=56.57µs 
     http_req_tls_handshaking.......: avg=0s       min=0s       med=0s       max=0s       p(90)=0s       p(95)=0s      
     http_req_waiting...............: avg=102.9ms  min=7.63ms   med=83.66ms  max=907.03ms p(90)=175.79ms p(95)=201.74ms
     http_reqs......................: 2318   38.557025/s
     iteration_duration.............: avg=310.7ms  min=202.21ms med=295.16ms max=1.19s    p(90)=361.53ms p(95)=405.03ms
     iterations.....................: 773    12.857886/s
     vus............................: 4      min=4       max=4 
     vus_max........................: 4      min=4       max=4

@renovate renovate bot force-pushed the renovate-npm-mermaid-vulnerability branch from 2d2fb61 to cd47b60 Compare August 31, 2025 14:36
@renovate renovate bot changed the title fix(deps): update dependency mermaid to v11.10.0 [security] chore(deps): update dependency mermaid to v11.10.0 [security] Sep 25, 2025
@renovate renovate bot force-pushed the renovate-npm-mermaid-vulnerability branch from cd47b60 to 1492383 Compare September 25, 2025 14:51
@renovate renovate bot force-pushed the renovate-npm-mermaid-vulnerability branch from 1492383 to a1f89fd Compare September 25, 2025 15:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants