## CVE-2025-54880: Mermaid Diagram Tool Exposes closenow.ai to Cross-Site Scripting Risk
A medium-severity security flaw in the popular Mermaid diagramming library has exposed the closenow.ai project to potential cross-site scripting (XSS) attacks. The vulnerability, tracked as CVE-2025-54880, stems from the library's default configuration in versions 11.9.0 and earlier, where user-supplied input for architecture diagram icons is passed unsafely to the d3 html() method, creating a direct injection sink. This finding was flagged by the Trivy scanner during a deep dependency scan of the `close-now-ui/close-now-angular` project's package-lock.json file, which was found to be using the vulnerable version 11.7.0.

The core issue is a classic CWE-79 (Improper Neutralization of Input During Web Page Generation) within Mermaid, a JavaScript-based tool widely used for creating diagrams from text definitions. The flaw allows an attacker to inject malicious scripts through the icon input field in architecture diagrams. If exploited, this could lead to session hijacking, data theft, or defacement of web applications that embed the vulnerable Mermaid library. The Mermaid maintainers have released version 11.10.0 as the fixed version.

For the closenow.ai project, this finding represents a tangible supply chain risk. The presence of this outdated dependency (`mermaid@11.7.0`) in a core UI component's lockfile indicates an unpatched security gap that must be addressed. While the severity is rated as medium, the widespread use of Mermaid in documentation and web applications amplifies the potential impact. The immediate action required is to upgrade the dependency to the patched version 11.10.0 or later to mitigate the XSS risk before it can be weaponized.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: CVE-2025-54880, XSS, Supply Chain Security, JavaScript, closenow.ai
- **Credibility**: unverified
- **Published**: 2026-04-08 00:26:55
- **ID**: 54007
- **URL**: https://whisperx.ai/en/intel/54007