Infinite loop Affecting mermaid package, versions <10.9.6>=11.0.0-alpha.1 <11.15.0

Q: How to fix?

Upgrade mermaid to version 10.9.6, 11.15.0 or higher.

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk IDSNYK-JS-MERMAID-16642040
published12 May 2026
disclosed11 May 2026
creditAlois Klink

Report a new vulnerability Found a mistake?

Introduced: 11 May 2026

NewCVE-2026-41150 (opens in a new tab) CWE-835 (opens in a new tab)

How to fix?

Upgrade mermaid to version 10.9.6, 11.15.0 or higher.

Overview

mermaid is a package for generation of diagrams and flowcharts from text in a similar manner as markdown.

Affected versions of this package are vulnerable to Infinite loop in the rendering process of Gantt charts when the excludes attribute is set to exclude all dates. An attacker can cause the application to enter an infinite loop by supplying a crafted chart configuration that excludes every day of the week.

References

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
None
Privileges Required (PR)
None
User Interaction (UI)
Passive

Confidentiality (VC)
None
Integrity (VI)
None
Availability (VA)
Low

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
Low