GHSA-39h7-pwv7-rc3x: Excalidraw vulnerable to XSS via Mermaid sequence diagram labels (KaTeX rendering)
@excalidraw/excalidraw@0.18.0 depends on a Mermaid conversion package version that resolves to a Mermaid release affected by CVE-2025-54881 / GHSA-7rqq-prvp-x9jh. User-supplied Mermaid sequence diagram labels could trigger XSS through Mermaid’s KaTeX label rendering path.
This is patched in @excalidraw/excalidraw@0.18.1 by updating @excalidraw/mermaid-to-excalidraw to 2.2.2, which uses a patched Mermaid 11 release.
Moderate severity as this XSS requires manual user action - pasting unsafe Mermaid diagram into the Excalidraw editor. No semi-automated attack vector exists by default (such as accessing a link).
References
Code Behaviors & Features
Detect and mitigate GHSA-39h7-pwv7-rc3x with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →