CVE-2026-41150: CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') in mermaid-js mermaid
CVE-2026-41150 is a medium severity vulnerability in the mermaid-js mermaid JavaScript tool that can cause a denial-of-service (DoS) condition. The issue occurs when rendering gantt charts that use the excludes attribute to exclude all dates, leading to an infinite loop. This affects versions prior to 10. 9. 6 and between 11. 0. 0-alpha. 1 and before 11. 15. 0.
AI Analysis
Technical Summary
Mermaid-js mermaid versions before 10.9.6 and between 11.0.0-alpha.1 and 11.15.0 contain a denial-of-service vulnerability (CWE-835) caused by an infinite loop when rendering gantt charts that exclude all dates using the excludes attribute. The vulnerability manifests during the rendering phase when ganttDb.getTasks() is called, not during parsing. This can cause the application to hang or crash due to the loop with an unreachable exit condition. The issue is resolved in versions 10.9.6 and 11.15.0.
Potential Impact
An attacker can cause a denial-of-service condition by crafting gantt charts that exclude all dates, triggering an infinite loop during rendering. This can lead to application unavailability or resource exhaustion. There is no indication of code execution or data compromise. No known exploits have been reported in the wild.
Mitigation Recommendations
Upgrade mermaid-js mermaid to version 10.9.6 or later, or 11.15.0 or later, where this vulnerability is fixed. Since this is a client-side JavaScript library, applying the update is the primary remediation. No other mitigations are indicated.
CVE-2026-41150: CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') in mermaid-js mermaid
Description
CVE-2026-41150 is a medium severity vulnerability in the mermaid-js mermaid JavaScript tool that can cause a denial-of-service (DoS) condition. The issue occurs when rendering gantt charts that use the excludes attribute to exclude all dates, leading to an infinite loop. This affects versions prior to 10. 9. 6 and between 11. 0. 0-alpha. 1 and before 11. 15. 0.
CVSS v4.0
Score 5.3medium
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Mermaid-js mermaid versions before 10.9.6 and between 11.0.0-alpha.1 and 11.15.0 contain a denial-of-service vulnerability (CWE-835) caused by an infinite loop when rendering gantt charts that exclude all dates using the excludes attribute. The vulnerability manifests during the rendering phase when ganttDb.getTasks() is called, not during parsing. This can cause the application to hang or crash due to the loop with an unreachable exit condition. The issue is resolved in versions 10.9.6 and 11.15.0.
Potential Impact
An attacker can cause a denial-of-service condition by crafting gantt charts that exclude all dates, triggering an infinite loop during rendering. This can lead to application unavailability or resource exhaustion. There is no indication of code execution or data compromise. No known exploits have been reported in the wild.
Mitigation Recommendations
Upgrade mermaid-js mermaid to version 10.9.6 or later, or 11.15.0 or later, where this vulnerability is fixed. Since this is a client-side JavaScript library, applying the update is the primary remediation. No other mitigations are indicated.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-17T12:59:15.740Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a19a74de29bf47b50f00d40
Added to database: 5/29/2026, 2:48:45 PM
Last enriched: 5/29/2026, 3:04:05 PM
Last updated: 5/29/2026, 3:53:40 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.