Cyber Resilience

CVE-2025-58768

CriticalPublic PoCRCE

Published: 09 September 2025

Published
09 September 2025
Modified
18 September 2025
KEV Added
Patch
CVSS Score v3.1 9.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0022 44.7th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-58768 is a critical-severity Code Injection (CWE-94) vulnerability in Thinkinai Deepchat. Its CVSS base score is 9.6 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique JavaScript (T1059.007); ranked at the 44.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as LLM Application Platforms; in the Other ATLAS/OWASP Terms risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SC-18 (Mobile Code) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-58768 is a high-severity vulnerability (CVSS 9.6) affecting DeepChat, an artificial intelligence-powered smart assistant, in versions prior to 0.3.5. The issue lies in the Mermaid chart rendering component, which unsafely uses innerHTML to set user-supplied content. This enables cross-site scripting (XSS, CWE-79) that triggers an exploit chain, ultimately leading to arbitrary code injection (CWE-94) and command execution via exposed IPC. The flaw stems from an incomplete fix for a prior XSS vulnerability documented in GHSA-hqr4-4gfc-5p2j.

The vulnerability is exploitable remotely (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) but user interaction (UI:R), and it changes scope (S:C) to achieve high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H). An attacker can craft malicious Mermaid content that, when rendered by a user in DeepChat, executes arbitrary JavaScript via XSS and escalates to arbitrary command execution through the exposed IPC interface.

The GitHub security advisory (GHSA-f7q5-vc93-wp6j) recommends updating to DeepChat version 0.3.5, which includes an updated fix for the innerHTML handling in the Mermaid renderer. No additional workarounds are specified.

This vulnerability is notable in the context of AI applications, as DeepChat's smart assistant functionality integrates AI with user-generated content rendering, exposing a chain from XSS to system-level command execution. No public reports of real-world exploitation are available as of the CVE publication on 2025-09-09.

EU & UK References

Vulnerability details

DeepChat is a smart assistant uses artificial intelligence. Prior to version 0.3.5, in the Mermaid chart rendering component, there is a risky operation of directly using `innerHTML` to set user content. Therefore, any malicious content rendered via Mermaid will directly…

more

trigger the exploit chain, leading to command execution. This vulnerability is primarily caused by a failure to fully address the existing XSS issue in the project, leading to another exploit chain. The exploit chain is consistent with the report GHSA-hqr4-4gfc-5p2j, executing arbitrary JavaScript code via XSS and arbitrary commands via exposed IPC. Version 0.3.5 contains an updated fix.

CWE(s)

AI Security AnalysisAI

AI Category
LLM Application Platforms
Risk Domain
Other ATLAS/OWASP Terms
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: artificial intelligence

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

XSS vulnerability in Mermaid chart rendering via unsafe innerHTML enables arbitrary JavaScript execution (T1059.007) and command execution through exposed IPC, facilitating exploitation for client execution (T1203).

CVEs Like This One

CVE-2025-55733Same product: Thinkinai Deepchat
CVE-2025-66222Same product: Thinkinai Deepchat
CVE-2025-66481Same product: Thinkinai Deepchat
CVE-2025-67744Same product: Thinkinai Deepchat
CVE-2026-42090Shared CWE-79, CWE-94
CVE-2026-34585Shared CWE-79, CWE-94
CVE-2026-34725Shared CWE-79, CWE-94
CVE-2025-66580Shared CWE-79, CWE-94
CVE-2026-34448Shared CWE-79, CWE-94
CVE-2026-33941Shared CWE-79, CWE-94

Affected Assets

thinkinai
deepchat
≤ 0.3.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely identification, reporting, and correction of the specific flaw in the Mermaid renderer using innerHTML, such as by applying the vendor patch to version 0.3.5.

prevent

Mandates validation of user-supplied Mermaid content to reject or sanitize malicious payloads that enable XSS prior to rendering.

prevent

Restricts execution of mobile code like injected JavaScript in the Mermaid rendering component to block the XSS exploit chain.

References