Listen to this Post
The CVE-2025-41089 vulnerability in Mermaid.js stems from improper sanitization of user-supplied input within sequence diagram labels. In the default configuration, which includes KaTeX support, labels containing KaTeX delimiters are processed by the `calculateMathMLDimensions` function. This function’s purpose is to compute the dimensions of mathematical expressions for rendering. However, it directly assigns the unsanitized label text to an element’s `innerHTML` property. This action bypasses standard security sanitization routines. Consequently, an attacker can craft a malicious sequence diagram label containing a JavaScript payload. When a victim views a diagram containing this malicious label, the payload is executed within their browser context, leading to a Cross-Site Scripting attack. The vulnerable code path was introduced in a specific commit two years prior and affected versions starting from 10.9.0.
Platform: Mermaid.js
Version: 10.9.0+
Vulnerability: XSS
Severity: Moderate
date: 2025-08-19
Prediction: 2025-09-02
What Undercode Say:
curl -s "https://api.nvd.nist.gov/v2/vulnerabilities?cveId=CVE-2025-41089" | jq .
// Vulnerable code snippet (conceptual)
function calculateMathMLDimensions(text) {
const el = document.createElement('div');
el.innerHTML = text; // Unsanitized input
document.body.appendChild(el);
// ... calculate dimensions ...
}
How Exploit:
Malicious label: <img src=x onerror=alert('XSS')>
Protection from this CVE:
Update Mermaid.js Sanitize input Disable KaTeX
Impact:
Arbitrary script execution Session hijacking
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
