Description
Mermaid is a JavaScript tool that uses Markdown-inspired text to create and modify diagrams and charts. Prior to 10.9.6 and 11.15.0, there is a denial-of-service attack when rendering gantt charts, if they use the excludes attribute to exclude all dates. mermaid.parse is unaffected, unless you then call the ganttDb.getTasks() (which is called when rendering a diagram). This vulnerability is fixed in 10.9.6 and 11.15.0.
Published: 2026-05-29
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An infinite loop occurs when a Mermaid Gantt chart uses the excludes attribute to remove all dates, causing the rendering engine to stall. This leads to a denial of service, consuming CPU until the process is terminated or the application times out. The CVSS score of 5.3 indicates moderate severity and reflects the effect on availability rather than confidentiality or integrity.

Affected Systems

The vulnerability affects the mermaid-js/mermaid library in all releases prior to 10.9.6 and 11.15.0. Updating to either of those patched versions removes the vulnerable code path.

Risk and Exploitability

The issue is exploitable by embedding a Gantt chart that specifies an empty excludes list in a web page or application that renders Mermaid diagrams. Attackers can trigger the loop without requiring authentication or elevated privileges, resulting in an application slowdown or crash. The EPSS score is currently unavailable, and the vulnerability is not listed in CISA's KEV catalog, suggesting no widespread exploitation yet but still a legitimate risk for served content.

Generated by OpenCVE AI on May 29, 2026 at 15:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade mermaid-js/mermaid to version 10.9.6 or newer 11.15.0 and later
  • If upgrading is not immediately possible, avoid rendering Gantt charts that use the excludes attribute to omit all dates; remove or limit the attribute usage
  • Monitor the application for unusually high CPU usage or responsiveness issues, and consider disabling Mermaid rendering on critical services until a patch can be applied

Generated by OpenCVE AI on May 29, 2026 at 15:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-6m6c-36f7-fhxh Mermaid Gantt Charts are vulnerable to an Infinite Loop DoS
History

Fri, 29 May 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 29 May 2026 14:45:00 +0000

Type Values Removed Values Added
Description Mermaid is a JavaScript tool that uses Markdown-inspired text to create and modify diagrams and charts. Prior to 10.9.6 and 11.15.0, there is a denial-of-service attack when rendering gantt charts, if they use the excludes attribute to exclude all dates. mermaid.parse is unaffected, unless you then call the ganttDb.getTasks() (which is called when rendering a diagram). This vulnerability is fixed in 10.9.6 and 11.15.0.
Title Mermaid Gantt Charts are vulnerable to an Infinite Loop DoS
Weaknesses CWE-835
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-29T16:17:31.324Z

Reserved: 2026-04-17T12:59:15.740Z

Link: CVE-2026-41150

cve-icon Vulnrichment

Updated: 2026-05-29T16:13:40.925Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-29T15:16:22.673

Modified: 2026-05-29T18:17:09.160

Link: CVE-2026-41150

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T15:15:46Z

Weaknesses