Plataforma
javascript
Componente
deepchat
Corrigido em
0.5.4
CVE-2025-67744 describes a critical Cross-Site Scripting (XSS) vulnerability within the Mermaid diagram rendering component of DeepChat, an open-source AI agent platform. This XSS flaw escalates to full Remote Code Execution (RCE) due to the exposure of the Electron IPC renderer to the DOM, allowing attackers to execute arbitrary system commands. The vulnerability affects DeepChat versions prior to 0.5.3, and a patch is available in version 0.5.3.
The impact of CVE-2025-67744 is severe. An attacker can exploit this vulnerability to execute arbitrary code on the affected system. This is achieved by crafting malicious Mermaid diagrams that, when rendered, inject and execute JavaScript code. The exposed Electron IPC renderer allows this injected code to interact with the underlying system, effectively granting the attacker remote control. This could lead to data theft, system compromise, and potential lateral movement within the network. The combination of XSS and IPC exposure creates a highly dangerous attack vector, similar in impact to vulnerabilities that bypass security sandboxes.
CVE-2025-67744 was published on December 16, 2025. As of this date, there are no publicly available proof-of-concept exploits. The EPSS score is likely to be high due to the combination of XSS and RCE, indicating a significant risk. The vulnerability is not currently listed on the CISA KEV catalog.
Organizations utilizing DeepChat for AI agent development and deployment are at risk, particularly those relying on older versions (≤ 0.5.3). Shared hosting environments where DeepChat is deployed alongside other applications are also at increased risk, as a successful exploit could potentially compromise the entire host.
• javascript / web: Inspect DeepChat's JavaScript code for instances of eval() or new Function() calls related to Mermaid rendering.
// Example: Search for calls to eval() within Mermaid rendering functions
console.log(code.toString().match(/eval\s*\(/g) || []);• javascript / web: Monitor network traffic for unusual JavaScript payloads being sent to the DeepChat application. • javascript / web: Examine the Electron IPC channel for unexpected messages or commands being executed. • generic web: Review DeepChat's access and error logs for any signs of XSS attempts or unusual activity related to Mermaid diagrams.
disclosure
Status do Exploit
EPSS
0.27% (percentil 50%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2025-67744 is to immediately upgrade DeepChat to version 0.5.3 or later, which contains the necessary patch. If upgrading is not immediately feasible, consider implementing temporary workarounds. While a direct WAF rule is unlikely to be effective against this type of XSS, carefully scrutinizing input to the Mermaid renderer for suspicious characters or patterns could offer limited protection. Review and restrict access to the Electron IPC interface to prevent unauthorized interactions. After upgrading, confirm the fix by attempting to render a known malicious Mermaid diagram and verifying that no code execution occurs.
Atualize DeepChat para a versão 0.5.3 ou superior. Esta versão contém uma correção para a vulnerabilidade XSS no componente de renderização de diagramas Mermaid. A atualização evitará a execução remota de código arbitrário.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2025-67744 is a critical vulnerability in DeepChat versions prior to 0.5.3, allowing attackers to execute arbitrary code via a flawed Mermaid diagram rendering component. It combines XSS and RCE.
You are affected if you are using DeepChat version 0.5.3 or earlier. Upgrade to version 0.5.3 to resolve the vulnerability.
Upgrade DeepChat to version 0.5.3 or later. If immediate upgrade is not possible, consider temporary workarounds like restricting access to the Electron IPC interface.
As of December 16, 2025, there are no confirmed reports of active exploitation, but the vulnerability's severity warrants immediate attention.
Refer to the DeepChat project's official website or GitHub repository for the latest security advisories and release notes related to CVE-2025-67744.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.