Platform
javascript
Component
5ire
Fixed in
0.11.2
CVE-2025-47777 is a critical cross-site scripting (XSS) vulnerability affecting versions of the 5ire AI assistant client prior to 0.11.1. This vulnerability stems from insufficient sanitization of chatbot responses, enabling attackers to inject malicious scripts. Successful exploitation can lead to remote code execution (RCE) due to unsafe Electron protocol handling and exposed Electron APIs, posing a significant risk to user systems. Version 0.11.1 addresses this issue with a security patch.
The impact of CVE-2025-47777 is severe due to the potential for remote code execution. An attacker could inject malicious JavaScript code into chatbot responses, which would then be executed in the context of the user's browser. This could allow the attacker to steal sensitive information, such as login credentials or personal data, or even take control of the user's system. The vulnerability’s reliance on Electron protocol handling expands the attack surface, allowing for potentially more sophisticated exploits. The exposed Electron APIs further exacerbate the risk, providing attackers with more avenues for malicious activity. This is similar to other Electron-based application vulnerabilities where improper protocol handling has led to RCE.
CVE-2025-47777 was publicly disclosed on 2025-05-14. The vulnerability's critical CVSS score (9.7) indicates a high probability of exploitation. No public proof-of-concept (PoC) code has been publicly released as of this writing, but the combination of the high CVSS score and the potential for RCE suggests that attackers may be actively seeking to exploit this vulnerability. It is not currently listed on CISA KEV.
Exploit Status
EPSS
2.22% (84% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-47777 is to immediately upgrade to version 0.11.1 of the 5ire AI assistant client. If upgrading is not immediately feasible due to compatibility issues or system downtime constraints, consider isolating 5ire instances from untrusted chatbot sources. While a direct WAF rule is unlikely to be effective against stored XSS, implementing strict content security policies (CSP) within the Electron application could help limit the impact of successful exploits. Monitor chatbot interactions for unusual activity and consider disabling features that allow users to paste external content into the chatbot interface. After upgrading, confirm the fix by attempting to inject a simple XSS payload into a chatbot interaction and verifying that it is properly sanitized.
Update the 5ire client to version 0.11.1 or later. This corrects the Cross-Site Scripting (XSS) and Remote Code Execution (RCE) vulnerabilities. Avoid interacting with untrusted chatbots or pasting external content in versions prior to 0.11.1.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-47777 is a critical vulnerability in 5ire AI Assistant versions prior to 0.11.1. It allows stored XSS, potentially leading to remote code execution due to insufficient input sanitization.
Yes, if you are using 5ire AI Assistant version 0.11.1 or earlier, you are potentially affected by this vulnerability. The risk is higher if you interact with untrusted chatbots.
Upgrade to version 0.11.1 of 5ire AI Assistant. If immediate upgrade is not possible, isolate the application from untrusted chatbot sources and implement strict content security policies.
While no public exploits are currently known, the high CVSS score and potential for RCE suggest attackers may be actively seeking to exploit this vulnerability.
Refer to the official 5ire security advisory for detailed information and updates regarding CVE-2025-47777. Check the 5ire website and security channels for the latest announcements.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.