chore(deps): update dependency mermaid to v11.15.0 [security]#2482
Conversation
E2E tests did not runE2E tests run automatically for org/repo members and collaborators on pull requests. For other contributors, a maintainer must add the See E2E testing guide for details. |
Site previewPreview: https://a1719d38-site.fullsend-ai.workers.dev Commit: |
|
🤖 Finished Review · ✅ Success · Started 8:26 AM UTC · Completed 8:32 AM UTC |
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
|
Looks good to me |
![fullsend-ai-review[bot]](https://avatars.githubusercontent.com/in/3478501?s=60&v=4){kind=small}
fullsend-ai-review
Bot
added
the
ready-for-merge
|
🤖 Finished Retro · ✅ Success · Started 9:03 AM UTC · Completed 9:17 AM UTC |
Retro: PR #2482 — Renovate mermaid security bumpWorkflow went smoothly. Renovate opened a single-file Observations (no new proposals — existing issues cover them):
No new proposals filed — existing open issues adequately cover all identified improvements. |
1 participant
This PR contains the following updates:
11.14.0→11.15.0Mermaid: Improper sanitization of
classDefsin diagrams leads to CSS injectionCVE-2026-41148 / GHSA-xcj9-5m2h-648r
More information
Details
Details
The state diagram and any other diagram type that routes user-controlled style strings through createCssStyles parser for Mermaid v11.14.0 and earlier captures
classDefvalues with an unrestricted regex:The value passes unsanitized through
addStyleClass()->createCssStyles()->style.innerHTML(mermaidAPI.ts:418). A}in the value closes the generated CSS selector, and everything after becomes a new CSS rule on the page.PoC
Live demo:
https://mermaid.live/edit#pako:eNpFjzFvgzAQhf-KdVNbEcBgMHhtlkqtOnSJKi8ONsYKBmRMlRTx3-skanvTfbp7996t0IxSAYPZC6_2Rmgn7O4rQ00v5nmvWnRG29OKjqI5aTcug9wZK7RiaHH9A4fO-4kliVXSiFibqbvEzWjvnHxo_fI6vR3e6cGXyX2qTcvhcYMItDMSmHeLisAqZ8UVYeUDQhx8p6ziwEIrhTtx4MNVM4nhcxztrywE0h2wVvRzoGWS_z_8rahBKvcckntgmN5OAFvhDIzUNCZZQXCR5nVaZkUEF2BVFpOcEkoxxhUuyRbB980yjStapKHqoKFlhvPtB7BFZEU
Patches
This has been patched in:
Workarounds
Setting
"securityLevel": "sandbox"will prevent this, by rendering the mermaid diagram in a sandboxed<iframe>.Impact
Enables page defacement, user tracking via
url()callbacks, and DOM attribute exfiltration via CSS:has()selectors.Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:LReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Mermaid: Improper sanitization of
classDefin state diagrams leads to HTML injectionCVE-2026-41149 / GHSA-ghcm-xqfw-q4vr
More information
Details
Impact
Under the default configuration, Mermaid state diagram's
classDefallow DOM injection that escapes the SVG, although<script>tags are removed, preventing XSS.Proof-of-concept
Patches
Workarounds
If you can not update to a patched version, setting
"securityLevel": "sandbox"will prevent this, by rendering the mermaid diagram in a sandboxed<iframe>.Credits
Thanks to @zsxsoft from @KeenSecurityLab for reporting this vulnerability.
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:LReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Mermaid Gantt Charts are vulnerable to an Infinite Loop DoS
CVE-2026-41150 / GHSA-6m6c-36f7-fhxh
More information
Details
Impact
Mermaid v11.14.0 and earlier are vulnerable to a denial-of-service attack when rendering gantt charts, if they use the
excludesattribute to exclude all dates.Example:
mermaid.parseis unaffected, unless you then call theganttDb.getTasks()(which is called when rendering a diagram).Patches
This has been patched in:
Workarounds
There are no workarounds available without updating to a newer version of mermaid.
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:LReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Mermaid: Improper sanitization of configuration leads to CSS injection
CVE-2026-41159 / GHSA-87f9-hvmw-gh4p
More information
Details
Impact
Mermaid's default configuration allows injecting CSS that applies outside of the Mermaid diagram via the
fontFamily,themeCSS, andaltFontFamilyconfiguration options.Live demo: mermaid.live
Example code:
The injected CSS exploits stylis's
&(scope reference) handling.:not(&)escapes the#mermaid-xxxautomatic scoping, applying styles to all page elements. Global at-rules (@font-face,@keyframes,@counter-style) are also injectable as stylis hoists them to top level.This allows page defacement and DOM attribute exfiltration via CSS
:has()selectors.Patches
Workarounds
If you can't upgrade mermaid, you can set the
secureconfig value in the mermaid config to avoid allowing diagrams to modifyfontFamily,themeCSS,altFontFamily, andthemeVariables.Setting
"securityLevel": "sandbox"will also prevent this.Credits
Reported by @zsxsoft on behalf of @KeenSecurityLab
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:LReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
mermaid-js/mermaid (mermaid)
v11.15.0Compare Source
Minor Changes
#7174
0aca217Thanks @milesspencer35! - feat(sequence): Add support for decimal start and increment values in theautonumberdirective#7512
8e17492Thanks @aruncveli! - feat(flowchart): add datastore shapeIn Data flow diagrams, a datastore/warehouse/file/database is used to represent data persistence. It is denoted by a rectangle with only top and bottom borders, and can be used in flowcharts with
A@{ shape: datastore, label: "Datastore" }.#6440
9ad8ddeThanks @yordis, @lgazo! - feat: add Event Modeling diagram#7707
27db774Thanks @txmxthy! - feat(architecture): expose four fcose layout knobs forarchitecture-betadiagrams (nodeSeparation,idealEdgeLengthMultiplier,edgeElasticity,numIter) so authors can tune layout density and spread overlapping siblings without changing diagram source#7604
bf9502fThanks @M-a-c! - feat(class): add nested namespace support for class diagrams via dot notation and syntactic nestingIf you have namespaces in class diagrams that use
.s already and want to render them without nesting (≤v11.14.0 behaviour), you can use setclass.hierarchicalNamespaces=falsein your mermaid config:#7272
88cdd3dThanks @xinbenlv! - feat(sankey): add outlined label style, configurable nodeWidth/nodePadding, and custom node colorsPatch Changes
#7737
e9b0f34Thanks @ashishjain0512! - fix: prevent unbalanced CSS styles in classDefs#7737
37ff937Thanks @ashishjain0512! - fix: create CSS styles using the CSSOMThis removes some invalid CSS and normalizes some CSS formatting.
#7508
bfe60ccThanks @biiab! - fix(stateDiagram):end notenow only closes a note when used on a new line#7737
faafb5dThanks @ashishjain0512! - fix(gantt): add iteration limit forexcludesfield#7737
65f8be2Thanks @ashishjain0512! - fix: disallow some CSS at-rules in custom CSS#7726
1502f32Thanks @aloisklink! - fix(wardley): fix unnecessary sanitization of text#7578
1f98db8Thanks @Gaston202! - fix(class): self-referential class multiplicity labels no longer rendered multiple timesFixes #7560. Resolves an issue where cardinality labels on self-referential class relationships were rendered three times due to edge splitting in the dagre layout. The fix ensures that each sub-edge only carries its relevant label positions.
#7592
2343e38Thanks @knsv-bot! - fix(sequence): add background box behind alt/else section title labels in sequence diagrams#7589
7fb9509Thanks @NYCU-Chung! - fix(block): prevent column widths from shrinking when mixing different column spans#7632
3f9e0f1Thanks @ekiauhce! - fix(sequence): correct messageAlign label position for right-to-left arrows in sequence diagrams#7642
7a8fb85Thanks @tractorjuice! - fix(wardley): allow hyphens in unquoted component namesMulti-word names containing hyphens — e.g.
real-time processing,end-user,on-call engineer— now parse without quoting, bringing the grammar in line with the OnlineWardleyMaps (OWM) convention.A->B(no-space arrow) still tokenises correctly.#7523
5144ed4Thanks @darshanr0107! - fix(block): Arrow blocks in block-beta diagrams not spanning the specified number of columns when using:nsyntax.#7262
13d9bfaThanks @darshanr0107! - fix(block): Ensure block diagram hexagon blocks respect column spanning syntax#7684
e14bb88Thanks @aloisklink! - fix: loosenuuiddependency range to allow v14Mermaid does not use any of the vulnerable code in CVE-2026-41907,
but this allows users to silence any
npm auditalerts on it.#7633
9217c0dThanks @Felix-Garci! - fix(block): add support for all arrow types in block diagrams#7587
5e7eb62Thanks @MaddyGuthridge! - chore: drop lodash-es in favour of es-toolkit#7693
afaf306Thanks @dull-bird! - fix(quadrant-chart): allow CJK, emoji, Latin-1 accented characters, and other non-ASCII text in unquoted axis/quadrant/point labels.Previously the lexer only matched ASCII
[A-Za-z]+for text tokens, even though the grammar referencedUNICODE_TEXT. Bare Chinese, Japanese, Korean, emoji, and accented Latin characters in labels caused a parse error. Added a[^\x00-\x7F]+lexer rule to emitUNICODE_TEXTand included it in thealphaNumTokengrammar rule.Fixes #7120.
#7737
4755553Thanks @ashishjain0512! - fix: improve D3 types for mermaidAPI funcs#7737
6476973Thanks @ashishjain0512! - fix: handle&when namespacing CSS rules#7520
8c1a0c1Thanks @RodrigojndSantos! - fix(stateDiagram): comments starting with one%are no longer treated as commentsSwitch to using two
%%if you want to write a comment.Updated dependencies [
7a8fb85,675a64c]:Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.