CVE-2025-66222 | THREATINT

Description

DeepChat is a smart assistant uses artificial intelligence. In 0.5.0 and earlier, there is a Stored Cross-Site Scripting (XSS) vulnerability in the Mermaid diagram renderer allows an attacker to execute arbitrary JavaScript within the application context. By leveraging the exposed Electron IPC bridge, this XSS can be escalated to Remote Code Execution (RCE) by registering and starting a malicious MCP (Model Context Protocol) server.

PUBLISHED Reserved 2025-11-24 | Published 2025-12-03 | Updated 2025-12-03 | Assigner GitHub_M

CRITICAL: 9.7CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Problem types

CWE-94: Improper Control of Generation of Code ('Code Injection')

Product status

< 0.5.0

affected

References

github.com/...epchat/security/advisories/GHSA-v8v5-c872-mf8r

github.com/...ommit/371ca7b42e3685aee6e3f0c61e85277ed1ff4db7

cve.org (CVE-2025-66222)

nvd.nist.gov (CVE-2025-66222)