CVE-2025-58768 CRITICAL

CVE-2025-58768: DeepChat's Mermaid rendering has XSS leading to RCE

Vendor Thinkinaixyz
Product deepchat
Weakness CWE-94 · Code injection
Published September 9, 2025
Last update September 9, 2025

CVSS base score

9.7/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

DeepChat is a smart assistant uses artificial intelligence. Prior to version 0.3.5, in the Mermaid chart rendering component, there is a risky operation of directly using `innerHTML` to set user content. Therefore, any malicious content rendered via Mermaid will directly trigger the exploit chain, leading to command execution. This vulnerability is primarily caused by a failure to fully address the existing XSS issue in the project, leading to another exploit chain. The exploit chain is consistent with the report GHSA-hqr4-4gfc-5p2j, executing arbitrary JavaScript code via XSS and arbitrary commands via exposed IPC. Version 0.3.5 contains an updated fix.

Key dates

02Disclosure timeline

September 9, 2025 CVE published
September 9, 2025 Record updated

Related vulnerabilities

04Related CVE