PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-41150 mermaid-js CVE debrief

A denial-of-service vulnerability exists in Mermaid, a JavaScript diagramming library, when rendering Gantt charts with the excludes attribute configured to exclude all dates. The issue affects versions prior to 10.9.6 and 11.15.0. While mermaid.parse itself is not directly vulnerable, the ganttDb.getTasks() function—invoked during diagram rendering—triggers the flaw. An attacker could exploit this by supplying a malicious Gantt chart definition that causes excessive resource consumption or application hang. The vulnerability is classified as CWE-835 (Loop with Unreachable Exit Condition). Fixes are available in releases 10.9.6 and 11.15.0.

Vendor
mermaid-js
Product
mermaid
CVSS
MEDIUM 5.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-29
Original CVE updated
2026-05-29
Advisory published
2026-05-29
Advisory updated
2026-05-29

Who should care

Organizations using Mermaid for server-side or client-side diagram rendering, particularly those accepting untrusted user input for Gantt charts. Developers integrating Mermaid into documentation platforms, wikis, or collaborative tools should prioritize patching.

Technical summary

The vulnerability stems from improper handling of edge cases in Gantt chart date exclusion logic. When the excludes attribute is set to exclude all possible dates, the rendering process enters a problematic state through ganttDb.getTasks(). This results in a denial-of-service condition. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required, and user interaction required, with low availability impact. The fix addresses the loop condition to properly handle cases where all dates are excluded.

Defensive priority

medium

Recommended defensive actions

  • Upgrade Mermaid to version 10.9.6 or 11.15.0 or later
  • If upgrading is not immediately possible, validate and sanitize Gantt chart input to prevent excludes attributes that exclude all dates
  • Review applications that render user-supplied Mermaid diagrams for potential DoS exposure
  • Monitor for unusual resource consumption when processing Gantt chart diagrams

Evidence notes

CVE published 2026-05-29. Advisory confirms DoS via Gantt chart excludes attribute. Patches released in 10.9.6 and 11.15.0.

Official resources

2026-05-29