GHSA-39H7-PWV7-RC3X

Vulnerability from github – Published: 2026-04-24 20:41 – Updated: 2026-04-24 20:41
VLAI
Summary
Excalidraw vulnerable to XSS via Mermaid sequence diagram labels (KaTeX rendering)
Details

Impact

@excalidraw/excalidraw@0.18.0 depends on a Mermaid conversion package version that resolves to a Mermaid release affected by CVE-2025-54881 / GHSA-7rqq-prvp-x9jh. User-supplied Mermaid sequence diagram labels could trigger XSS through Mermaid’s KaTeX label rendering path.

This is patched in @excalidraw/excalidraw@0.18.1 by updating @excalidraw/mermaid-to-excalidraw to 2.2.2, which uses a patched Mermaid 11 release.

Moderate severity as this XSS requires manual user action - pasting unsafe Mermaid diagram into the Excalidraw editor. No semi-automated attack vector exists by default (such as accessing a link).

Patches

  • Stable @excalidraw/excalidraw@0.18.1 is patched.
  • Unstable @excalidraw/excalidraw@next has resolved to patched builds since @excalidraw/excalidraw@0.18.0-f29edf on 2025-08-21.
  • Direct consumers of @excalidraw/mermaid-to-excalidraw should use 1.1.3 or later.

Workarounds

None.

Resources

  • Upstream Mermaid advisory: https://github.com/mermaid-js/mermaid/security/advisories/GHSA-7rqq-prvp-x9jh
  • CVE-2025-54881
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@excalidraw/excalidraw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.18.0"
            },
            {
              "fixed": "0.18.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.18.0"
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@excalidraw/mermaid-to-excalidraw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.3.0"
            },
            {
              "fixed": "1.1.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-1395",
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-24T20:41:51Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Impact\n\n`@excalidraw/excalidraw@0.18.0` depends on a Mermaid conversion package version that resolves to a Mermaid release affected by CVE-2025-54881 / GHSA-7rqq-prvp-x9jh. User-supplied Mermaid sequence diagram labels could trigger XSS through Mermaid\u2019s KaTeX label rendering path.\n\nThis is patched in `@excalidraw/excalidraw@0.18.1` by updating `@excalidraw/mermaid-to-excalidraw` to `2.2.2`, which uses a patched Mermaid 11 release.\n\nModerate severity as this XSS requires manual user action - pasting unsafe Mermaid diagram into the Excalidraw editor. No semi-automated attack vector exists by default (such as accessing a link).\n\n### Patches\n\n- Stable `@excalidraw/excalidraw@0.18.1` is patched.\n- Unstable `@excalidraw/excalidraw@next` has resolved to patched builds since `@excalidraw/excalidraw@0.18.0-f29edf` on 2025-08-21.\n- Direct consumers of `@excalidraw/mermaid-to-excalidraw` should use `1.1.3` or later.\n\n### Workarounds\n\nNone.\n\n### Resources\n\n- Upstream Mermaid advisory: https://github.com/mermaid-js/mermaid/security/advisories/GHSA-7rqq-prvp-x9jh\n- CVE-2025-54881",
  "id": "GHSA-39h7-pwv7-rc3x",
  "modified": "2026-04-24T20:41:51Z",
  "published": "2026-04-24T20:41:51Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/excalidraw/excalidraw/security/advisories/GHSA-39h7-pwv7-rc3x"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mermaid-js/mermaid/security/advisories/GHSA-7rqq-prvp-x9jh"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/excalidraw/excalidraw"
    },
    {
      "type": "WEB",
      "url": "https://github.com/excalidraw/excalidraw/releases/tag/v0.18.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Excalidraw vulnerable to XSS via Mermaid sequence diagram labels (KaTeX rendering)"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…