CVE-2026-41150: Mermaid Gantt Chart DoS via Excludes Attribute
Mermaid, a popular JavaScript library for creating diagrams from text, contains a denial-of-service vulnerability in versions before 10.9.6 and 11.15.0. The flaw occurs when rendering Gantt charts that use the excludes attribute to block out all dates. An attacker can craft a malicious diagram that, when processed and rendered, causes the application to hang or consume excessive resources, disrupting service availability. The vulnerability only manifests during actual diagram rendering; simply parsing the diagram syntax does not trigger the issue unless the ganttDb.getTasks() function is subsequently called.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
- Weaknesses (CWE)
- CWE-835
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-05-29 / 2026-06-17
NVD description (verbatim)
Mermaid is a JavaScript tool that uses Markdown-inspired text to create and modify diagrams and charts. Prior to 10.9.6 and 11.15.0, there is a denial-of-service attack when rendering gantt charts, if they use the excludes attribute to exclude all dates. mermaid.parse is unaffected, unless you then call the ganttDb.getTasks() (which is called when rendering a diagram). This vulnerability is fixed in 10.9.6 and 11.15.0.
6 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-41150 is an infinite loop or resource-exhaustion denial-of-service vulnerability in Mermaid's Gantt chart rendering logic, classified as CWE-835 (Loop with Unreachable Exit Condition). When a Gantt chart specifies an excludes attribute configured to exclude all possible dates, the rendering engine fails to properly handle this edge case, resulting in uncontrolled iteration or processing. The vulnerability is absent from the parsing phase (mermaid.parse) and only becomes exploitable during the rendering workflow when ganttDb.getTasks() is invoked—a function called automatically when displaying diagrams in a web application. Affected versions are those prior to 10.9.6 in the 10.x line and prior to 11.15.0 in the 11.x line.
Business impact
This vulnerability poses a direct threat to service availability for any web application, documentation platform, or collaborative tool that integrates Mermaid for diagram rendering. An attacker can trigger a denial-of-service condition by uploading or injecting a malicious Gantt chart diagram, causing the rendering process to hang. If Mermaid runs in a single-threaded environment or on resource-constrained infrastructure, exploitation can render the entire application unresponsive to legitimate users. Organizations relying on Mermaid for real-time diagram generation, embedded documentation, or user-generated content face the highest risk. The attack requires no authentication and can be automated at scale.
Affected systems
Mermaid versions prior to 10.9.6 (10.x branch) and prior to 11.15.0 (11.x branch) are vulnerable. Any application, library, or service embedding Mermaid as a dependency—including documentation generators, wiki platforms, collaborative drawing tools, CI/CD dashboards, and web-based flowcharting applications—is at risk if those dependencies have not been updated. The vulnerability affects both client-side rendering (in web browsers) and server-side rendering scenarios where Mermaid processes untrusted diagram input.
Exploitability
Exploitability is high due to the attack's simplicity and low barrier to entry. No special privileges, authentication, or user interaction are required beyond the ability to supply a crafted Gantt chart to a system running vulnerable Mermaid. The attack vector is network-accessible (CVSS vector AV:N), meaning it can be conducted remotely. Exploitation requires only knowledge of Gantt chart syntax and the excludes attribute; no complex tooling or deep reverse engineering is necessary. However, the practical impact depends on how Mermaid is deployed: in a web browser context, the DoS affects only that user's session, whereas server-side rendering could impact all users. The vulnerability is not yet listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, suggesting limited public exploitation at this time, though this should not be taken as assurance of continued obscurity.
Remediation
Update Mermaid to version 10.9.6 or later (if using the 10.x series) or version 11.15.0 or later (if using the 11.x series). Both patch versions contain fixes that properly handle the edge case of excludes attributes blocking all dates, preventing the denial-of-service condition. Organizations should prioritize updates for systems that expose Mermaid rendering to untrusted input, such as public documentation platforms or user-facing diagram tools. Verify patch installation by confirming the version string in your deployed package.json or equivalent dependency manifest.
Patch guidance
Patch releases 10.9.6 and 11.15.0 are available. Determine which major version your application uses and apply the corresponding patch. If you maintain multiple versions of Mermaid across different services, coordinate updates to ensure consistent coverage. Test the update in a staging environment to confirm compatibility with your diagram definitions and rendering pipeline before deploying to production. For applications using Mermaid via package managers (npm, yarn, pnpm), a standard dependency upgrade should apply the fix; for embedded or bundled versions, verify that build artifacts reflect the patched code.
Detection guidance
Monitor for requests or uploads containing Gantt chart syntax with excludes attributes that reference comprehensive date ranges or use wildcard-style exclusions. Log and alert on any rendering requests that exhibit unusual delays or timeout signatures. In server-side scenarios, track CPU and memory consumption during Mermaid rendering operations; spikes or sustained high usage may indicate an exploitation attempt. Implement rate-limiting on diagram rendering endpoints and consider sandboxing or resource-quota enforcement for untrusted diagram processing. Application performance monitoring (APM) tools can flag hanging or stalled rendering tasks. Review access logs for repeated failed or slow diagram render attempts from a single source.
Why prioritize this
Although the CVSS base score of 5.3 (MEDIUM) reflects limited scope (availability-only impact, no confidentiality or integrity compromise), the practical urgency depends on your exposure. Prioritize patching if your organization: (1) hosts user-generated or externally-supplied Gantt diagrams, (2) runs Mermaid in a critical or public-facing service, or (3) processes untrusted diagram input in an automated or batch context. For internal-only or air-gapped Mermaid usage where all diagram sources are trusted, the risk is substantially lower. The ease of exploitation and the lack of required privileges elevate it above a purely numerical CVSS reading in contexts of high exposure.
Risk score, explained
The CVSS 3.1 score of 5.3 reflects a denial-of-service vulnerability with network accessibility and no authentication requirement (AV:N, AC:L, PR:N, UI:N), but limited scope—only availability is affected, not confidentiality or integrity. The lack of user interaction (UI:N) means exploitation can be automated. The score would be higher if the vulnerability could lead to code execution or data exfiltration, but the DoS-only nature caps it at MEDIUM severity. Contextually, organizations accepting untrusted diagram input should treat this as more urgent than the numerical score alone suggests.
Frequently asked questions
Can an attacker exploit this without uploading a diagram?
Yes, if they can control any input that is later rendered as a Mermaid Gantt chart—including via API parameters, configuration files, or database content. They do not need file upload capabilities; any vector allowing them to supply diagram text to a vulnerable Mermaid instance suffices.
If I only parse diagrams with mermaid.parse() and never render them, am I safe?
Likely yes for this specific vulnerability. The CVE description states that mermaid.parse is unaffected; the issue only arises when ganttDb.getTasks() is called during actual rendering. However, verify that your code path does not invoke getTasks() after parsing, and keep Mermaid updated for other potential vulnerabilities.
Does this affect Gantt charts that exclude some dates, or only those that exclude all dates?
The vulnerability is specifically triggered when the excludes attribute is configured to block out all possible dates. A Gantt chart that excludes a subset of dates should render normally. An attacker would need to craft excludes logic that achieves total date exclusion to trigger the denial-of-service.
Is there a workaround if I cannot update immediately?
Implement strict input validation and reject or sanitize Gantt chart definitions that use excludes attributes in ways that exclude all dates. Add rendering timeouts and resource limits (CPU, memory) around Mermaid operations. These are temporary measures; patching should remain your primary remediation path.
This analysis is based on the published CVE record and vendor advisories as of the modification date (2026-06-17). Readers should verify patch availability and version compatibility against official Mermaid release notes and their vendor's security bulletins. SEC.co does not provide warranty or liability for third-party tool or library integration decisions. Organizations should test patches in controlled environments before production deployment. Exploitation techniques and proof-of-concept code are not provided herein; security researchers should consult responsible disclosure guidelines and obtain proper authorization before testing any systems not under their control. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10028MEDIUMglib-networking GnuTLS Certificate Validation Denial-of-Service
- CVE-2026-46146MEDIUMLinux Kernel USB Audio Infinite Loop DoS Vulnerability
- CVE-2026-41159MEDIUMMermaid CSS Injection Vulnerability – Patch to 10.9.6 or 11.15.0
- CVE-2018-25384MEDIUMStored XSS in Wikidforum 2.20 Allows Authenticated Attackers to Inject Malicious Scripts
- CVE-2018-25387MEDIUMHaPe PKH 1.1 Cross-Site Request Forgery (CSRF) Admin Password Reset
- CVE-2018-25393MEDIUMNavigate CMS 2.8.5 Path Traversal Vulnerability (CVSS 6.5)
- CVE-2018-25397MEDIUMCSRF Vulnerability in PHP-SHOP 1.0 – Admin Account Injection
- CVE-2018-25421MEDIUMOpen STA Manager 2.3 Path Traversal File Download Vulnerability