Platform
other
Component
dive
Fixed in
0.11.2
A critical Stored Cross-Site Scripting (XSS) vulnerability (CVE-2025-66580) has been identified in Dive, an open-source MCP Host Desktop Application, affecting versions prior to 0.11.1. This vulnerability resides within the Mermaid diagram rendering component and allows attackers to inject malicious JavaScript. Successful exploitation can lead to Remote Code Execution (RCE) on the victim's machine by injecting a malicious Model Context Protocol (MCP) server configuration.
The impact of CVE-2025-66580 is severe. An attacker can leverage the XSS vulnerability to inject arbitrary JavaScript code into the Mermaid diagrams rendered by Dive. This injected code can then be used to craft a malicious Model Context Protocol (MCP) server configuration. When a user clicks on a node containing this malicious configuration, the application will attempt to connect to the attacker-controlled MCP server. This connection can then be exploited to execute arbitrary code on the victim's machine, effectively achieving Remote Code Execution (RCE). The blast radius extends to any user interacting with Dive and potentially accessing malicious diagrams, making it a significant risk.
CVE-2025-66580 was publicly disclosed on 2025-12-19. No public proof-of-concept (PoC) code has been released at the time of writing, but the vulnerability's severity and potential for RCE suggest a high likelihood of exploitation. Its inclusion in the CVSS v3.1 scoring system with a score of 9.7 (CRITICAL) underscores the urgency of patching. The vulnerability's reliance on user interaction (clicking a node) may limit its immediate exploitability in automated campaigns, but targeted attacks are a significant concern.
Exploit Status
EPSS
0.27% (50% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-66580 is to upgrade Dive to version 0.11.1 or later, which contains the fix for this vulnerability. If upgrading is not immediately feasible, consider implementing strict input validation and sanitization on any user-supplied data used in Mermaid diagrams. While a WAF or proxy may offer some protection, it's unlikely to be effective against this type of stored XSS. Thoroughly review and audit all Mermaid diagrams before allowing them to be rendered within the application.
Actualice Dive a la versión 0.11.1 o posterior. Esta versión corrige la vulnerabilidad de Cross-Site Scripting (XSS) que permite la ejecución remota de código. La actualización evitará que un atacante inyecte configuraciones maliciosas del servidor MCP y comprometa su máquina.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-66580 is a critical Stored Cross-Site Scripting (XSS) vulnerability in Dive versions prior to 0.11.1, allowing malicious JavaScript injection through Mermaid diagrams, potentially leading to RCE.
You are affected if you are using Dive version 0.11.1 or earlier. Upgrade to 0.11.1 to eliminate the vulnerability.
Upgrade Dive to version 0.11.1 or later. This version includes a fix for the XSS vulnerability.
While no public exploits are currently known, the vulnerability's severity and potential for RCE suggest a high likelihood of exploitation.
Refer to the official Dive project repository and associated security announcements for the latest information and advisory regarding CVE-2025-66580.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.