CVE-2025-66481

CriticalPublic PoC

Published: 09 December 2025

Published

09 December 2025

Modified

11 December 2025

KEV Added

—

Patch

—

CVSS Score 9.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

EPSS Score 0.0021 43.4th percentile

Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Description

DeepChat is an open-source AI chat platform that supports cloud models and LLMs. Versions 0.5.1 and below are vulnerable to XSS attacks through improperly sanitized Mermaid content. The recent security patch for MermaidArtifact.vue is insufficient and can be bypassed using…

unquoted HTML attributes combined with HTML entity encoding. Remote Code Execution is possible on the victim's machine via the electron.ipcRenderer interface, bypassing the regex filter intended to strip dangerous attributes. There is no fix at time of publication.

Mitigating Controls (NIST 800-53 r5)AI

SI-15 Information Output Filtering good match

prevent

SI-15 directly prevents XSS by requiring filtering of output, such as Mermaid content rendered to HTML/SVG, blocking bypasses via unquoted attributes and entity encoding.

SI-10 Information Input Validation partial match

prevent

SI-10 addresses input validation of Mermaid payloads to reject malicious content before processing and rendering in the Electron app.

SI-2 Flaw Remediation good match

prevent

SI-2 mandates timely flaw remediation, directly mitigating the unpatched sanitization flaw in MermaidArtifact.vue exploited for XSS-to-RCE.

Security SummaryAI

CVE-2025-66481 is a cross-site scripting (XSS) vulnerability affecting DeepChat, an open-source AI chat platform that supports cloud models and large language models (LLMs). Versions 0.5.1 and below are impacted due to improperly sanitized Mermaid content in the MermaidArtifact.vue component. A recent security patch for this component proves insufficient, as it can be bypassed using unquoted HTML attributes combined with HTML entity encoding, allowing attackers to evade the regex filter intended to strip dangerous attributes.

Remote unauthenticated attackers can exploit the vulnerability by tricking victims into interacting with maliciously crafted Mermaid content, requiring user interaction such as viewing or rendering the payload. Successful exploitation enables remote code execution (RCE) on the victim's machine via the Electron ipcRenderer interface. The issue carries a CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H) and is associated with CWE-79 (Improper Neutralization of Input During Web Page Generation), CWE-80 (Improper Neutralization of Script-Related HTML Tags), and CWE-94 (Improper Control of Generation of Code).

The GitHub security advisory (GHSA-h9f5-7hhf-fqm4) confirms there is no fix available at the time of publication, emphasizing the need for practitioners to avoid untrusted Mermaid content in affected DeepChat deployments until a patch is released.

Details

CWE(s): CWE-79 CWE-80 CWE-94

Affected Products

thinkinai

deepchat

≤ 0.5.1

AI Security AnalysisAI

AI Category: AI Agent Protocols and Integrations
Risk Domain: N/A
OWASP Top 10 for LLMs 2025: None mapped
MITRE ATLAS Techniques: None mapped
Classification Reason: No AI-related keywords detected.

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

Why these techniques?

XSS vulnerability in Electron app's Mermaid rendering leads to RCE via ipcRenderer upon user interaction with crafted content, directly enabling Exploitation for Client Execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/ThinkInAIXYZ/deepchat/security/advisories/GHSA-h9f5-7hhf-fqm4
Vendor Advisory, Exploit · security-advisories@github.com
https://github.com/ThinkInAIXYZ/deepchat/security/advisories/GHSA-h9f5-7hhf-fqm4
Vendor Advisory, Exploit · 134c704f-9b21-4f2e-91b3-4a467353bcc0