Plattform
javascript
Komponente
markdown-it-mermaid
Behoben in
0.15.3
CVE-2025-68669 is a critical Remote Code Execution (RCE) vulnerability affecting versions of 5ire AI Assistant up to and including 0.15.2. This vulnerability stems from an insecure configuration within the markdown-it-mermaid plugin, allowing attackers to inject malicious HTML. Successful exploitation could lead to complete system compromise. A patch is available in version 0.15.3.
The vulnerability lies in the useMarkdown.ts file, where the markdown-it-mermaid plugin is initialized with securityLevel: 'loose'. This setting explicitly permits the rendering of HTML tags within Mermaid diagram nodes, effectively bypassing security measures. An attacker could embed malicious JavaScript code within a Mermaid diagram, which would then be executed when the diagram is rendered by the 5ire application. This could lead to complete system compromise, including data theft, modification, or remote control of the affected machine. The potential impact is significant, as the AI assistant likely handles sensitive user data and interacts with system resources.
This vulnerability is considered highly exploitable due to the ease of crafting malicious Mermaid diagrams and the lack of built-in protections. Public proof-of-concept exploits are likely to emerge given the vulnerability's nature. As of the publication date (2025-12-23), it is not known if this vulnerability is actively exploited in the wild, but its CRITICAL CVSS score suggests a high probability of exploitation. It has not yet been added to the CISA KEV catalog.
Organizations and individuals using 5ire AI Assistant versions 0.15.2 and earlier are at risk. This includes developers integrating 5ire into their applications and users relying on 5ire for AI assistance. Shared hosting environments where multiple users share the same 5ire instance are particularly vulnerable.
• javascript / desktop: Inspect 5ire application code for initialization of markdown-it-mermaid with securityLevel: 'loose'. Use a debugger to monitor the rendering of Mermaid diagrams and look for unexpected HTML execution.
• generic web: Monitor network traffic for requests containing malicious Mermaid diagrams. Examine application logs for errors related to HTML parsing or rendering.
disclosure
Exploit-Status
EPSS
0.07% (22% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation is to upgrade 5ire to version 0.15.3 or later, which includes the necessary fix. If upgrading immediately is not feasible, consider temporarily disabling the markdown-it-mermaid plugin or restricting the types of Mermaid diagrams that can be rendered. Input validation and sanitization of Mermaid diagrams before rendering can also help reduce the attack surface. Monitor system logs for unusual activity related to diagram rendering or JavaScript execution. After upgrading, verify the fix by attempting to render a known malicious Mermaid diagram and confirming that it does not execute code.
Aktualisieren der Abhängigkeit `markdown-it-mermaid` auf eine Version, die die Schwachstelle behebt. Wenn keine behobene Version verfügbar ist, vermeiden Sie die Verwendung der Konfiguration `securityLevel: 'loose'` und erwägen Sie andere sicherere Alternativen zum Rendern von Mermaid-Diagrammen.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-68669 is a critical Remote Code Execution vulnerability in 5ire AI Assistant versions up to 0.15.2, allowing attackers to execute arbitrary code via malicious Mermaid diagrams due to an insecure plugin configuration.
If you are using 5ire AI Assistant version 0.15.2 or earlier, you are affected by this vulnerability. Upgrade to version 0.15.3 to mitigate the risk.
The recommended fix is to upgrade to version 0.15.3. As a temporary workaround, sanitize Mermaid diagram input and configure the markdown-it-mermaid plugin with a stricter securityLevel.
While no active exploitation has been confirmed, the vulnerability's severity and ease of exploitation suggest a high probability of exploitation.
Refer to the 5ire security advisories page for the latest information and official guidance regarding CVE-2025-68669.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.