CVE-2025-66222

CriticalPublic PoCRCE

Published: 03 December 2025

Published

03 December 2025

Modified

05 December 2025

KEV Added

—

Patch

—

CVSS Score 9.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

EPSS Score 0.0026 49.4th percentile

Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-66222 is a critical-severity Code Injection (CWE-94) vulnerability in Thinkinai Deepchat. Its CVSS base score is 9.6 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 49.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Protocol-Specific Risks risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Client Execution (T1203). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Validates and sanitizes inputs to the Mermaid diagram renderer to prevent injection of malicious JavaScript payloads leading to stored XSS.

SI-15 Information Output Filtering good match

prevent

Filters outputs from the Mermaid renderer to block execution of arbitrary JavaScript in the application context.

SI-2 Flaw Remediation good match

prevent

Remediates the sanitization flaw in the Mermaid renderer and exposed Electron IPC bridge through timely patching to version beyond 0.5.0.

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

Why these techniques?

The stored XSS in the Mermaid diagram renderer enables arbitrary JavaScript execution within the Electron application context, which escalates to RCE via the exposed IPC bridge by registering a malicious MCP server, directly facilitating Exploitation for Client Execution.

NVD Description

DeepChat is a smart assistant uses artificial intelligence. In 0.5.0 and earlier, there is a Stored Cross-Site Scripting (XSS) vulnerability in the Mermaid diagram renderer allows an attacker to execute arbitrary JavaScript within the application context. By leveraging the exposed…

Electron IPC bridge, this XSS can be escalated to Remote Code Execution (RCE) by registering and starting a malicious MCP (Model Context Protocol) server.

Deeper analysisAI

CVE-2025-66222 is a Stored Cross-Site Scripting (XSS) vulnerability in DeepChat, an artificial intelligence-powered smart assistant, affecting versions 0.5.0 and earlier. The issue lies in the Mermaid diagram renderer, which fails to properly sanitize inputs, allowing attackers to inject and execute arbitrary JavaScript within the application's context. This flaw, associated with CWE-79 (XSS) and CWE-94 (code injection), carries a CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H), indicating critical severity due to its potential for high-impact compromise.

Attackers can exploit this vulnerability by injecting malicious payloads into stored Mermaid diagrams, such as through chat inputs or shared content in DeepChat. Any remote user without privileges can craft such payloads, but exploitation requires a victim to interact with the affected diagram (user interaction, UI:R). The executed JavaScript then leverages DeepChat's exposed Electron IPC bridge to register and start a malicious Model Context Protocol (MCP) server, escalating the XSS to full remote code execution (RCE) on the victim's machine, granting high confidentiality, integrity, and availability impacts in a changed scope (S:C).

Mitigation details are provided in the DeepChat security advisory at https://github.com/ThinkInAIXYZ/deepchat/security/advisories/GHSA-v8v5-c872-mf8r and the fixing commit at https://github.com/ThinkInAIXYZ/deepchat/commit/371ca7b42e3685aee6e3f0c61e85277ed1ff4db7, which patches the Mermaid renderer sanitization. Security practitioners should advise users to update DeepChat beyond version 0.5.0 and avoid loading untrusted diagrams.

Details

CWE(s): CWE-94 CWE-79

Affected Products

thinkinai

deepchat

≤ 0.5.0

AI Security AnalysisAI

AI Category: AI Agent Protocols and Integrations
Risk Domain: Protocol-Specific Risks
OWASP Top 10 for LLMs 2025: None mapped
Classification Reason: DeepChat is explicitly described as a smart assistant that uses artificial intelligence, fitting the Enterprise AI Assistants category. The vulnerability involves its UI renderer and integration with Model Context Protocol (MCP), but the primary affected software is the AI assistant application.

CVEs Like This One

CVE-2025-66481Same product: Thinkinai Deepchat

CVE-2025-67744Same product: Thinkinai Deepchat

CVE-2025-58768Same product: Thinkinai Deepchat

CVE-2025-55733Same product: Thinkinai Deepchat

CVE-2025-66562Shared CWE-79, CWE-94

CVE-2025-46059Shared CWE-94

CVE-2026-33976Shared CWE-79, CWE-94

CVE-2026-40322Shared CWE-79, CWE-94

CVE-2025-66580Shared CWE-79, CWE-94

CVE-2025-55204Shared CWE-79, CWE-94

References

https://github.com/ThinkInAIXYZ/deepchat/commit/371ca7b42e3685aee6e3f0c61e85277ed1ff4db7
Patch · security-advisories@github.com
https://github.com/ThinkInAIXYZ/deepchat/security/advisories/GHSA-v8v5-c872-mf8r
Exploit, Vendor Advisory · security-advisories@github.com