CVE-2025-66481
Published: 09 December 2025
Summary
CVE-2025-66481 is a critical-severity Cross-site Scripting (CWE-79) vulnerability in Thinkinai Deepchat. Its CVSS base score is 9.6 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 48.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations.
The strongest mitigations our analysis identified are NIST 800-53 SI-15 (Information Output Filtering) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-15 directly prevents XSS by requiring filtering of output, such as Mermaid content rendered to HTML/SVG, blocking bypasses via unquoted attributes and entity encoding.
SI-10 addresses input validation of Mermaid payloads to reject malicious content before processing and rendering in the Electron app.
SI-2 mandates timely flaw remediation, directly mitigating the unpatched sanitization flaw in MermaidArtifact.vue exploited for XSS-to-RCE.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
XSS vulnerability in Electron app's Mermaid rendering leads to RCE via ipcRenderer upon user interaction with crafted content, directly enabling Exploitation for Client Execution.
NVD Description
DeepChat is an open-source AI chat platform that supports cloud models and LLMs. Versions 0.5.1 and below are vulnerable to XSS attacks through improperly sanitized Mermaid content. The recent security patch for MermaidArtifact.vue is insufficient and can be bypassed using…
more
unquoted HTML attributes combined with HTML entity encoding. Remote Code Execution is possible on the victim's machine via the electron.ipcRenderer interface, bypassing the regex filter intended to strip dangerous attributes. There is no fix at time of publication.
Deeper analysisAI
CVE-2025-66481 is a cross-site scripting (XSS) vulnerability affecting DeepChat, an open-source AI chat platform that supports cloud models and large language models (LLMs). Versions 0.5.1 and below are impacted due to improperly sanitized Mermaid content in the MermaidArtifact.vue component. A recent security patch for this component proves insufficient, as it can be bypassed using unquoted HTML attributes combined with HTML entity encoding, allowing attackers to evade the regex filter intended to strip dangerous attributes.
Remote unauthenticated attackers can exploit the vulnerability by tricking victims into interacting with maliciously crafted Mermaid content, requiring user interaction such as viewing or rendering the payload. Successful exploitation enables remote code execution (RCE) on the victim's machine via the Electron ipcRenderer interface. The issue carries a CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H) and is associated with CWE-79 (Improper Neutralization of Input During Web Page Generation), CWE-80 (Improper Neutralization of Script-Related HTML Tags), and CWE-94 (Improper Control of Generation of Code).
The GitHub security advisory (GHSA-h9f5-7hhf-fqm4) confirms there is no fix available at the time of publication, emphasizing the need for practitioners to avoid untrusted Mermaid content in affected DeepChat deployments until a patch is released.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- AI Agent Protocols and Integrations
- Risk Domain
- N/A
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- No AI-related keywords detected.