@excalidraw/excalidraw, XSS via Mermaid dependency, CVE-2025-54881 (Moderate)

Listen to this Post

The CVE-2025-54881 vulnerability resides in the Mermaid diagramming library, which Excalidraw depends on for rendering Mermaid diagrams. In Mermaid versions 10.9.0-rc.1 through 11.9.0, a cross-site scripting (XSS) flaw exists in the default configuration due to improper sanitization of sequence diagram labels. When a sequence diagram label contains KaTeX delimiters, the `calculateMathMLDimensions` function passes the full label unsanitized to innerHTML, creating an XSS sink. This allows an attacker to inject arbitrary HTML and JavaScript, which the browser will execute in the context of the page. The vulnerable code path is triggered when the library calculates the dimensions of a KaTeX expression; the function creates a temporary div, sets its `innerHTML` to the user-supplied label, and appends it to the DOM. Because the label is not sanitized, an attacker can embed an `` tag that executes JavaScript. For Excalidraw versions 0.18.0, which bundled a vulnerable Mermaid conversion package, a malicious user could paste a crafted Mermaid diagram into the editor and trigger XSS. The Excalidraw team addressed this by updating to @excalidraw/[email protected], which uses a patched Mermaid 11 release, released in Excalidraw 0.18.1. The next unstable builds were patched starting from `@excalidraw/[email protected]` on 2025-08-21.
Platform: Excalidraw
Version: 0.18.0
Vulnerability: XSS via Mermaid
Severity: Moderate
Date: 2025-08-19

Prediction: 2025-08-21

Analytics

Tracking vulnerable versions:

`npm list @excalidraw/excalidraw | grep “0.18.0”`

Detecting vulnerable Mermaid versions in a project:

`npm list mermaid | grep -E “10\.[0-9]+\.[0-9]+|11\.[0-9]\.[0-9]”`

Monitoring for exploitation attempts in logs:

`grep -E “sequenceDiagram.

What Undercode Say:

The vulnerability is a classic DOM-based XSS introduced by unsafely assigning user input to `innerHTML`. The root cause is the failure to escape or sanitize KaTeX container content before calling `innerHTML`. This is particularly dangerous because Mermaid is widely used in many web applications that allow user-generated diagrams.

Exploit

Proof-of-Concept (PoC) Mermaid diagram:

sequenceDiagram
participant A as Alice<img src="x" onerror="alert('XSS')">$$\\text{Alice}$$
A->>John: Hello John, how are you?
Alice-)John: See you later!

When pasted into Excalidraw 0.18.0, the `onerror` JavaScript executes.

Protection from this CVE

– Upgrade to @excalidraw/[email protected] or later.
– Direct consumers must use @excalidraw/[email protected] or higher.
– For Mermaid-only projects, upgrade to Mermaid 11.10.0 or 10.9.4.
– As a temporary measure, disable KaTeX support in Mermaid (though not a complete fix).
– No full workaround exists for Excalidraw due to deep integration.

Impact

Successful XSS allows an attacker to execute arbitrary JavaScript in the context of the Excalidraw page, potentially stealing session cookies, performing actions on behalf of the user, or defacing the editor. The impact is mitigated by the requirement for manual user interaction (pasting the malicious diagram). All sites using Excalidraw 0.18.0 or earlier are affected.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: [github.com](https://github.com/advisories/GHSA-39h7-pwv7-rc3x)
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

[💬 Whatsapp](https://undercode.help/whatsapp) | [💬 Telegram](https://t.me/UndercodeCommunity)

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top