Platform
javascript
Component
deepchat
Fixed in
0.5.4
CVE-2025-67744 describes a critical Cross-Site Scripting (XSS) vulnerability within the Mermaid diagram rendering component of DeepChat, an open-source AI agent platform. This XSS flaw escalates to full Remote Code Execution (RCE) due to the exposure of the Electron IPC renderer to the DOM, allowing attackers to execute arbitrary system commands. The vulnerability affects DeepChat versions prior to 0.5.3, and a patch is available in version 0.5.3.
The impact of CVE-2025-67744 is severe. An attacker can exploit this vulnerability to execute arbitrary code on the affected system. This is achieved by crafting malicious Mermaid diagrams that, when rendered, inject and execute JavaScript code. The exposed Electron IPC renderer allows this injected code to interact with the underlying system, effectively granting the attacker remote control. This could lead to data theft, system compromise, and potential lateral movement within the network. The combination of XSS and IPC exposure creates a highly dangerous attack vector, similar in impact to vulnerabilities that bypass security sandboxes.
CVE-2025-67744 was published on December 16, 2025. As of this date, there are no publicly available proof-of-concept exploits. The EPSS score is likely to be high due to the combination of XSS and RCE, indicating a significant risk. The vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.27% (50% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-67744 is to immediately upgrade DeepChat to version 0.5.3 or later, which contains the necessary patch. If upgrading is not immediately feasible, consider implementing temporary workarounds. While a direct WAF rule is unlikely to be effective against this type of XSS, carefully scrutinizing input to the Mermaid renderer for suspicious characters or patterns could offer limited protection. Review and restrict access to the Electron IPC interface to prevent unauthorized interactions. After upgrading, confirm the fix by attempting to render a known malicious Mermaid diagram and verifying that no code execution occurs.
Update DeepChat to version 0.5.3 or higher. This version contains a fix for the XSS vulnerability in the Mermaid diagram rendering component. The update will prevent arbitrary remote code execution.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-67744 is a critical vulnerability in DeepChat versions prior to 0.5.3, allowing attackers to execute arbitrary code via a flawed Mermaid diagram rendering component. It combines XSS and RCE.
You are affected if you are using DeepChat version 0.5.3 or earlier. Upgrade to version 0.5.3 to resolve the vulnerability.
Upgrade DeepChat to version 0.5.3 or later. If immediate upgrade is not possible, consider temporary workarounds like restricting access to the Electron IPC interface.
As of December 16, 2025, there are no confirmed reports of active exploitation, but the vulnerability's severity warrants immediate attention.
Refer to the DeepChat project's official website or GitHub repository for the latest security advisories and release notes related to CVE-2025-67744.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.