CVE-2025-58768

CriticalPublic PoCRCE

Published: 09 September 2025

Published

09 September 2025

Modified

18 September 2025

KEV Added

—

Patch

—

CVSS Score 9.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

EPSS Score 0.0013 32.1th percentile

Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-58768 is a critical-severity Code Injection (CWE-94) vulnerability in Thinkinai Deepchat. Its CVSS base score is 9.6 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique JavaScript (T1059.007); ranked at the 32.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as Enterprise AI Assistants; in the Other ATLAS/OWASP Terms risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SC-18 (Mobile Code) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to JavaScript (T1059.007) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely identification, reporting, and correction of the specific flaw in the Mermaid renderer using innerHTML, such as by applying the vendor patch to version 0.3.5.

SI-10 Information Input Validation good match

prevent

Mandates validation of user-supplied Mermaid content to reject or sanitize malicious payloads that enable XSS prior to rendering.

SC-18 Mobile Code good match

prevent

Restricts execution of mobile code like injected JavaScript in the Mermaid rendering component to block the XSS exploit chain.

MITRE ATT&CK Enterprise TechniquesAI

T1059.007 JavaScript Execution

Adversaries may abuse various implementations of JavaScript for execution.

attack.mitre.org →

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

Why these techniques?

XSS vulnerability in Mermaid chart rendering via unsafe innerHTML enables arbitrary JavaScript execution (T1059.007) and command execution through exposed IPC, facilitating exploitation for client execution (T1203).

NVD Description

DeepChat is a smart assistant uses artificial intelligence. Prior to version 0.3.5, in the Mermaid chart rendering component, there is a risky operation of directly using `innerHTML` to set user content. Therefore, any malicious content rendered via Mermaid will directly…

trigger the exploit chain, leading to command execution. This vulnerability is primarily caused by a failure to fully address the existing XSS issue in the project, leading to another exploit chain. The exploit chain is consistent with the report GHSA-hqr4-4gfc-5p2j, executing arbitrary JavaScript code via XSS and arbitrary commands via exposed IPC. Version 0.3.5 contains an updated fix.

Deeper analysisAI

CVE-2025-58768 is a high-severity vulnerability (CVSS 9.6) affecting DeepChat, an artificial intelligence-powered smart assistant, in versions prior to 0.3.5. The issue lies in the Mermaid chart rendering component, which unsafely uses innerHTML to set user-supplied content. This enables cross-site scripting (XSS, CWE-79) that triggers an exploit chain, ultimately leading to arbitrary code injection (CWE-94) and command execution via exposed IPC. The flaw stems from an incomplete fix for a prior XSS vulnerability documented in GHSA-hqr4-4gfc-5p2j.

The vulnerability is exploitable remotely (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) but user interaction (UI:R), and it changes scope (S:C) to achieve high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H). An attacker can craft malicious Mermaid content that, when rendered by a user in DeepChat, executes arbitrary JavaScript via XSS and escalates to arbitrary command execution through the exposed IPC interface.

The GitHub security advisory (GHSA-f7q5-vc93-wp6j) recommends updating to DeepChat version 0.3.5, which includes an updated fix for the innerHTML handling in the Mermaid renderer. No additional workarounds are specified.

This vulnerability is notable in the context of AI applications, as DeepChat's smart assistant functionality integrates AI with user-generated content rendering, exposing a chain from XSS to system-level command execution. No public reports of real-world exploitation are available as of the CVE publication on 2025-09-09.

Details

CWE(s): CWE-94 CWE-79

Affected Products

thinkinai

deepchat

≤ 0.3.5

AI Security AnalysisAI

AI Category: Enterprise AI Assistants
Risk Domain: Other ATLAS/OWASP Terms
OWASP Top 10 for LLMs 2025: None mapped
Classification Reason: DeepChat is explicitly described as a smart assistant that uses artificial intelligence, aligning with Enterprise AI Assistants as it involves a deployed AI chat interface with rendering components.

CVEs Like This One

CVE-2025-66222Same product: Thinkinai Deepchat

CVE-2025-55733Same product: Thinkinai Deepchat

CVE-2025-66481Same product: Thinkinai Deepchat

CVE-2025-67744Same product: Thinkinai Deepchat

CVE-2026-34448Shared CWE-79, CWE-94

CVE-2026-34725Shared CWE-79, CWE-94

CVE-2026-42090Shared CWE-79, CWE-94

CVE-2025-66580Shared CWE-79, CWE-94

CVE-2026-34585Shared CWE-79, CWE-94

CVE-2026-33941Shared CWE-79, CWE-94

References

https://github.com/ThinkInAIXYZ/deepchat/security/advisories/GHSA-f7q5-vc93-wp6j
Exploit, Vendor Advisory · security-advisories@github.com