CVE-2025-66580
Published: 19 December 2025
Description
Dive is an open-source MCP Host Desktop Application that enables integration with function-calling LLMs. A critical Stored Cross-Site Scripting (XSS) vulnerability exists in versions prior to 0.11.1 in the Mermaid diagram rendering component. The application allows the execution of arbitrary…
more
JavaScript via `javascript:`. An attacker can exploit this to inject a malicious Model Context Protocol (MCP) server configuration, leading to Remote Code Execution (RCE) on the victim's machine when the node is clicked. Version 0.11.1 fixes the issue.
Mitigating Controls (NIST 800-53 r5)AI
Timely installation of the version 0.11.1 patch directly resolves the javascript: execution flaw in the Mermaid renderer.
Filters information output in the Mermaid diagram rendering component to block javascript: protocols and prevent stored XSS execution.
Prohibits or restricts JavaScript mobile code execution in the diagram renderer, mitigating arbitrary JS from malicious MCP configurations.
Security SummaryAI
Dive is an open-source Model Context Protocol (MCP) Host Desktop Application designed to enable integration with function-calling large language models (LLMs). A critical Stored Cross-Site Scripting (XSS) vulnerability, tracked as CVE-2025-66580, affects versions prior to 0.11.1 in its Mermaid diagram rendering component. This flaw allows the execution of arbitrary JavaScript code via javascript: protocols, as mapped to CWE-79 (XSS) and CWE-94 (code injection).
Attackers can exploit the vulnerability remotely without privileges by injecting a malicious MCP server configuration into the application. Exploitation requires user interaction, specifically clicking on the affected node in the diagram, which triggers the payload and results in remote code execution (RCE) on the victim's machine. The issue carries a CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H), reflecting high impacts on confidentiality, integrity, and availability with low attack complexity over the network.
The official GitHub security advisory (GHSA-xv8m-365j-x6h2) for the OpenAgentPlatform/Dive repository confirms that updating to version 0.11.1 resolves the vulnerability by addressing the javascript: execution in the Mermaid renderer.
Notably, the vulnerability occurs in a desktop application tailored for LLM integrations, underscoring security risks in emerging AI-agent tools that handle dynamic content like diagrams. No public reports of real-world exploitation were available as of the CVE publication on 2025-12-19.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- AI Agent Protocols and Integrations
- Risk Domain
- N/A
- OWASP Top 10 for LLMs 2025
- None mapped
- MITRE ATLAS Techniques
- None mapped
- Classification Reason
- Parse error: ```json { "category": "AI Agent Protocols and Integrations", "reason": "Dive is an MCP Host Desktop Application for integrating with function-calling LLMs, and the vulnerability involves exploitat
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The stored XSS vulnerability in the Mermaid diagram rendering enables arbitrary JavaScript execution via javascript: URIs in MCP configurations, leading to RCE upon clicking a node, facilitating client-side exploitation (T1203) and abuse of JavaScript as a command interpreter (T1059.007).