Platform
other
Component
deepchat
Fixed in
0.3.2
CVE-2025-55733 describes a critical Remote Code Execution (RCE) vulnerability affecting DeepChat versions up to 0.3.1. This flaw allows an attacker to execute arbitrary code on a victim's machine by embedding a malicious 'deepchat:' URL. The vulnerability is triggered when a user clicks on or visits a website containing this specially crafted URL, leading to a potentially complete system compromise. A fix is available in version 0.3.1.
The impact of CVE-2025-55733 is severe. An attacker can leverage this vulnerability to gain complete control over a victim's system. The attack vector is deceptively simple: embedding a malicious 'deepchat:' URL on any website. When a user clicks this link, the DeepChat application, acting as a custom URL handler, processes the URL and executes the embedded code. This bypasses typical security measures, as the user is essentially tricked into running code they didn't intend to. The blast radius extends to any user of DeepChat running a vulnerable version, regardless of their technical expertise. This is similar to other URL scheme vulnerabilities where malicious code is injected through seemingly innocuous links.
CVE-2025-55733 was publicly disclosed on 2025-08-19. The vulnerability's simplicity and potential for widespread exploitation suggest a medium probability of exploitation (EPSS score likely medium). No public proof-of-concept (POC) code has been observed as of this writing, but the ease of crafting a malicious URL makes it likely that POCs will emerge. The vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.29% (52% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-55733 is to immediately upgrade DeepChat to version 0.3.1 or later. This version contains the fix that prevents the malicious URL processing. If upgrading is not immediately feasible, consider restricting the use of DeepChat on systems containing sensitive data. While a direct workaround is unavailable, educating users about the risks of clicking on unfamiliar or suspicious links can help prevent exploitation. There are no specific WAF or proxy rules that can effectively mitigate this vulnerability without application-level changes. After upgrading, confirm the fix by attempting to trigger the vulnerability with a known malicious 'deepchat:' URL – it should no longer execute code.
Update DeepChat to version 0.3.1 or later. This version fixes the remote code execution vulnerability. Download the latest version from the product's official website or through the update mechanism integrated into the application.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-55733 is a critical RCE vulnerability in DeepChat versions up to 0.3.1. A malicious 'deepchat:' URL can trigger code execution on a victim's machine.
Yes, if you are using DeepChat version 0.3.1 or earlier, you are vulnerable to this RCE exploit.
Upgrade DeepChat to version 0.3.1 or later to resolve this vulnerability. This update patches the flawed URL handling.
While no active exploitation has been confirmed, the vulnerability's simplicity makes it likely that exploitation attempts will occur.
Refer to the DeepChat official website or security channels for the latest advisory and updates regarding CVE-2025-55733.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.