DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-39H7-PWV7-RC3X: GHSA-39H7-PWV7-RC3X: DOM-based XSS in Excalidraw via Mermaid Diagram Rendering

#security #cve #cybersecurity #ghsa

GHSA-39H7-PWV7-RC3X: DOM-based XSS in Excalidraw via Mermaid Diagram Rendering

Vulnerability ID: GHSA-39H7-PWV7-RC3X
CVSS Score: 7.5
Published: 2026-04-24

Excalidraw suffers from a DOM-based Cross-Site Scripting (XSS) vulnerability caused by an upstream flaw in the Mermaid diagramming library. The issue occurs during the dimension calculation of KaTeX-rendered labels, leading to arbitrary JavaScript execution when a malicious diagram is rendered in the browser.

TL;DR

DOM-based XSS in Excalidraw resulting from un-sanitized KaTeX label rendering in the upstream Mermaid engine.

Technical Details

  • CWE ID: CWE-79
  • Attack Vector: Network / Client-Side
  • Vulnerability Type: DOM-based Cross-Site Scripting (XSS)
  • Exploit Status: Proof of Concept Available
  • Upstream Root Cause: CVE-2025-54881
  • Affected Sink: innerHTML within calculateMathMLDimensions

Affected Systems

  • @excalidraw/excalidraw
  • @excalidraw/mermaid-to-excalidraw
  • mermaid
  • @excalidraw/excalidraw: <= 0.18.0 (Fixed in: 0.18.1)
  • @excalidraw/mermaid-to-excalidraw: < 1.1.1 (Fixed in: 1.1.1)
  • mermaid: < 10.9.4 (Fixed in: 10.9.4)

Code Analysis

Commit: 5c69e5f

Refactors rendering pipeline to be asynchronous

Commit: 685516a

Introduces renderKatexSanitized to strip dangerous HTML

Mitigation Strategies

  • Upgrade @excalidraw/excalidraw to version 0.18.1 or later.
  • Upgrade @excalidraw/mermaid-to-excalidraw to version 1.1.1 or later.
  • Enforce strict Content Security Policy (CSP) headers without the 'unsafe-inline' directive.

Remediation Steps:

  1. Identify projects utilizing @excalidraw/excalidraw via package managers (npm, yarn, pnpm).
  2. Update the package dependencies in package.json to the patched versions.
  3. Run the respective install command to update lockfiles.
  4. Deploy the updated application to production environments.

References

Read the full report for GHSA-39H7-PWV7-RC3X on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)