Listen to this Post
How CVE-2026-41150 Works
This vulnerability resides in the Gantt chart renderer’s logic when handling the `excludes` attribute. The process is as follows:
1. Malicious Input – An attacker specifies a Gantt chart with an `excludes` directive that lists all seven days of the week (e.g., excludes monday,tuesday,wednesday,thursday,friday,saturday,sunday), effectively telling Mermaid to skip every possible calendar date.
2. Triggering the Loop – When rendering such a chart, the internal `ganttDb.getTasks()` function is called. This invokes the `fixTaskDates` helper, which is responsible for adjusting task dates to skip excluded days.
3. No Termination Condition – The `fixTaskDates` function contains a `while (startTime <= endTime)` loop. It increments both the start and end dates by one day each time an excluded day is encountered. When all dates are excluded, this loop lacks an exit condition, as the end date is continuously extended forward, making `startTime <= endTime` always true.
4. Infinite Loop – The renderer enters an infinite loop, consuming 100% of a CPU core and never resolving. This causes the entire application or service using the library to hang indefinitely.
5. Vulnerable Versions – All Mermaid versions `v11.14.0` and earlier, and `v10.9.5` and earlier, are affected.
6. Patch – The fix, implemented in `v11.15.0` and v10.9.6, introduces a maximum iteration limit of 10,000 days (roughly 27 years). If that limit is reached, an error is thrown, preventing the infinite loop.
DailyCVE Form
Platform: `Mermaid`
Version: `<= 11.14.0`
Vulnerability: `Infinite Loop DoS`
Severity: `Moderate`
Date: `2026-05-11`
Prediction: `Already Patched` (expected patch date: 2026-05-11)
What Undercode Say:
Analytics
Count vulnerable Mermaid installations (estimated) npm list mermaid | grep -E "mermaid@(10.|11.[0-9]|11.1[0-4])" | wc -l Check if a Mermaid version is vulnerable if npm list mermaid | grep -qE "mermaid@(10.[0-9].[0-5]|11.[0-9]|11.1[0-4])"; then echo "VULNERABLE: Infinite loop DoS possible" else echo "NOT VULNERABLE" fi Exploit simulation (PoC syntax) cat << 'EOF' > exploit.mmd gantt excludes monday,tuesday,wednesday,thursday,friday,saturday,sunday DoS :2025-01-01, 1d EOF
Exploit
An attacker can cause a denial-of-service by embedding the following crafted Mermaid code in any user‑controllable input (e.g., a comment, documentation page, or chat message):
gantt excludes monday,tuesday,wednesday,thursday,friday,saturday,sunday DoS :2025-01-01, 1d
When the library attempts to render this Gantt chart, the renderer hangs permanently, leading to a full CPU‑core DoS. Since no workaround exists, every application using a vulnerable Mermaid version and rendering untrusted Gantt charts is impacted.
Protection from this CVE
- Immediate Upgrade – Update to Mermaid `v11.15.0` or `v10.9.6` (or any later version).
- Input Validation – If an immediate upgrade is impossible, block any user input that contains Gantt charts with an `excludes` attribute listing all seven days of the week.
- Time‑Out Wrapper – As a temporary safeguard, implement a timeout around the `mermaid.parse` or rendering function (e.g., `Promise.race` with a 5‑second timeout).
- Disable Gantt Rendering – In high‑risk environments, disable the Gantt chart feature entirely until a patch can be applied.
Impact
- Availability: Complete loss of availability for the affected service (CPU‑core exhaustion, application freeze).
- Attack Vector: Network‑based; requires only that the attacker can supply a malicious Mermaid diagram to the renderer.
- User Interaction: None beyond viewing or processing the malicious input.
- CVSS v4 Base Score: 5.3 (Medium) – CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L
- Practical Consequences: Any website, documentation system, chat application, or CI/CD pipeline that renders untrusted Mermaid Gantt charts can be taken offline with a single crafted input. The vulnerability is trivial to exploit and requires no special privileges.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

