CVE-2025-66222
Published: 03 December 2025
Description
DeepChat is a smart assistant uses artificial intelligence. In 0.5.0 and earlier, there is a Stored Cross-Site Scripting (XSS) vulnerability in the Mermaid diagram renderer allows an attacker to execute arbitrary JavaScript within the application context. By leveraging the exposed…
more
Electron IPC bridge, this XSS can be escalated to Remote Code Execution (RCE) by registering and starting a malicious MCP (Model Context Protocol) server.
Mitigating Controls (NIST 800-53 r5)AI
Validates and sanitizes inputs to the Mermaid diagram renderer to prevent injection of malicious JavaScript payloads leading to stored XSS.
Filters outputs from the Mermaid renderer to block execution of arbitrary JavaScript in the application context.
Remediates the sanitization flaw in the Mermaid renderer and exposed Electron IPC bridge through timely patching to version beyond 0.5.0.
Security SummaryAI
CVE-2025-66222 is a Stored Cross-Site Scripting (XSS) vulnerability in DeepChat, an artificial intelligence-powered smart assistant, affecting versions 0.5.0 and earlier. The issue lies in the Mermaid diagram renderer, which fails to properly sanitize inputs, allowing attackers to inject and execute arbitrary JavaScript within the application's context. This flaw, associated with CWE-79 (XSS) and CWE-94 (code injection), carries a CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H), indicating critical severity due to its potential for high-impact compromise.
Attackers can exploit this vulnerability by injecting malicious payloads into stored Mermaid diagrams, such as through chat inputs or shared content in DeepChat. Any remote user without privileges can craft such payloads, but exploitation requires a victim to interact with the affected diagram (user interaction, UI:R). The executed JavaScript then leverages DeepChat's exposed Electron IPC bridge to register and start a malicious Model Context Protocol (MCP) server, escalating the XSS to full remote code execution (RCE) on the victim's machine, granting high confidentiality, integrity, and availability impacts in a changed scope (S:C).
Mitigation details are provided in the DeepChat security advisory at https://github.com/ThinkInAIXYZ/deepchat/security/advisories/GHSA-v8v5-c872-mf8r and the fixing commit at https://github.com/ThinkInAIXYZ/deepchat/commit/371ca7b42e3685aee6e3f0c61e85277ed1ff4db7, which patches the Mermaid renderer sanitization. Security practitioners should advise users to update DeepChat beyond version 0.5.0 and avoid loading untrusted diagrams.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- AI Agent Protocols and Integrations
- Risk Domain
- Protocol-Specific Risks
- OWASP Top 10 for LLMs 2025
- None mapped
- MITRE ATLAS Techniques
- None mapped
- Classification Reason
- DeepChat is explicitly described as a smart assistant that uses artificial intelligence, fitting the Enterprise AI Assistants category. The vulnerability involves its UI renderer and integration with Model Context Protocol (MCP), but the primary affected software is the AI assistant application.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The stored XSS in the Mermaid diagram renderer enables arbitrary JavaScript execution within the Electron application context, which escalates to RCE via the exposed IPC bridge by registering a malicious MCP server, directly facilitating Exploitation for Client Execution.