CVE-2025-47777 CRITICAL

CVE-2025-47777: 5ire Client Vulnerable to Cross-Site Scripting (XSS) and Remote Code Execution (RCE)

Vendor Nanbingxyz
Product 5ire
Weakness CWE-20 · Input validation
Published May 14, 2025
Last update May 14, 2025

CVSS base score

9.7/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

5ire is a cross-platform desktop artificial intelligence assistant and model context protocol client. Versions prior to 0.11.1 are vulnerable to stored cross-site scripting in chatbot responses due to insufficient sanitization. This, in turn, can lead to Remote Code Execution (RCE) via unsafe Electron protocol handling and exposed Electron APIs. All users of 5ire client versions prior to patched releases, particularly those interacting with untrusted chatbots or pasting external content, are affected. Version 0.11.1 contains a patch for the issue.

Key dates

02Disclosure timeline

May 14, 2025 CVE published
May 14, 2025 Record updated