DeepChat is a smart assistant uses artificial intelligence. In 0.5.0 and earlier, there is a Stored Cross-Site Scripting (XSS) vulnerability in the Mermaid diagram renderer allows an attacker to execute arbitrary JavaScript within the application context. By leveraging the exposed Electron IPC bridge, this XSS can be escalated to Remote Code Execution (RCE) by registering and starting a malicious MCP (Model Context Protocol) server.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:HThinkinai Deepchat
APPThinkinai≤ 0.5.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCEXSS
Related vulnerabilities
CVE-2025-67744CRITICAL9.6PL ✓ten sam produkt
RCE przez XSS w komponencie Mermaid w DeepChat (Electron IPC)
CVE-2025-66481CRITICAL9.6PL ✓ten sam produkt
XSS i RCE w Thinkinai DeepChat przez nieskuteczną sanityzację Mermaid
CVE-2025-58768CRITICAL9.6PL ✓ten sam produkt
RCE przez XSS w komponencie Mermaid w aplikacji DeepChat
CVE-2025-55733CRITICAL9.6PL ✓ten sam produkt
RCE jednym kliknięciem w DeepChat przez niebezpieczny handler URL