GHSA-39H7-PWV7-RC3X
Vulnerability from github – Published: 2026-04-24 20:41 – Updated: 2026-04-24 20:41
VLAI
Summary
Excalidraw vulnerable to XSS via Mermaid sequence diagram labels (KaTeX rendering)
Details
Impact
@excalidraw/excalidraw@0.18.0 depends on a Mermaid conversion package version that resolves to a Mermaid release affected by CVE-2025-54881 / GHSA-7rqq-prvp-x9jh. User-supplied Mermaid sequence diagram labels could trigger XSS through Mermaid’s KaTeX label rendering path.
This is patched in @excalidraw/excalidraw@0.18.1 by updating @excalidraw/mermaid-to-excalidraw to 2.2.2, which uses a patched Mermaid 11 release.
Moderate severity as this XSS requires manual user action - pasting unsafe Mermaid diagram into the Excalidraw editor. No semi-automated attack vector exists by default (such as accessing a link).
Patches
- Stable
@excalidraw/excalidraw@0.18.1is patched. - Unstable
@excalidraw/excalidraw@nexthas resolved to patched builds since@excalidraw/excalidraw@0.18.0-f29edfon 2025-08-21. - Direct consumers of
@excalidraw/mermaid-to-excalidrawshould use1.1.3or later.
Workarounds
None.
Resources
- Upstream Mermaid advisory: https://github.com/mermaid-js/mermaid/security/advisories/GHSA-7rqq-prvp-x9jh
- CVE-2025-54881
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@excalidraw/excalidraw"
},
"ranges": [
{
"events": [
{
"introduced": "0.18.0"
},
{
"fixed": "0.18.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"0.18.0"
]
},
{
"package": {
"ecosystem": "npm",
"name": "@excalidraw/mermaid-to-excalidraw"
},
"ranges": [
{
"events": [
{
"introduced": "0.3.0"
},
{
"fixed": "1.1.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1395",
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-24T20:41:51Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Impact\n\n`@excalidraw/excalidraw@0.18.0` depends on a Mermaid conversion package version that resolves to a Mermaid release affected by CVE-2025-54881 / GHSA-7rqq-prvp-x9jh. User-supplied Mermaid sequence diagram labels could trigger XSS through Mermaid\u2019s KaTeX label rendering path.\n\nThis is patched in `@excalidraw/excalidraw@0.18.1` by updating `@excalidraw/mermaid-to-excalidraw` to `2.2.2`, which uses a patched Mermaid 11 release.\n\nModerate severity as this XSS requires manual user action - pasting unsafe Mermaid diagram into the Excalidraw editor. No semi-automated attack vector exists by default (such as accessing a link).\n\n### Patches\n\n- Stable `@excalidraw/excalidraw@0.18.1` is patched.\n- Unstable `@excalidraw/excalidraw@next` has resolved to patched builds since `@excalidraw/excalidraw@0.18.0-f29edf` on 2025-08-21.\n- Direct consumers of `@excalidraw/mermaid-to-excalidraw` should use `1.1.3` or later.\n\n### Workarounds\n\nNone.\n\n### Resources\n\n- Upstream Mermaid advisory: https://github.com/mermaid-js/mermaid/security/advisories/GHSA-7rqq-prvp-x9jh\n- CVE-2025-54881",
"id": "GHSA-39h7-pwv7-rc3x",
"modified": "2026-04-24T20:41:51Z",
"published": "2026-04-24T20:41:51Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/excalidraw/excalidraw/security/advisories/GHSA-39h7-pwv7-rc3x"
},
{
"type": "WEB",
"url": "https://github.com/mermaid-js/mermaid/security/advisories/GHSA-7rqq-prvp-x9jh"
},
{
"type": "PACKAGE",
"url": "https://github.com/excalidraw/excalidraw"
},
{
"type": "WEB",
"url": "https://github.com/excalidraw/excalidraw/releases/tag/v0.18.1"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Excalidraw vulnerable to XSS via Mermaid sequence diagram labels (KaTeX rendering)"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…