Cyber Resilience

CVE-2025-66580

CriticalPublic PoCRCE

Published: 19 December 2025

Published
19 December 2025
Modified
02 January 2026
KEV Added
Patch
CVSS Score v3.1 9.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0048 37.4th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-66580 is a critical-severity Code Injection (CWE-94) vulnerability in Openagentplatform Dive. Its CVSS base score is 9.6 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 37.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Protocol-Specific Risks risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SC-18 (Mobile Code) and SI-15 (Information Output Filtering).

Deeper analysis

Dive is an open-source Model Context Protocol (MCP) Host Desktop Application designed to enable integration with function-calling large language models (LLMs). A critical Stored Cross-Site Scripting (XSS) vulnerability, tracked as CVE-2025-66580, affects versions prior to 0.11.1 in its Mermaid diagram rendering component. This flaw allows the execution of arbitrary JavaScript code via javascript: protocols, as mapped to CWE-79 (XSS) and CWE-94 (code injection).

Attackers can exploit the vulnerability remotely without privileges by injecting a malicious MCP server configuration into the application. Exploitation requires user interaction, specifically clicking on the affected node in the diagram, which triggers the payload and results in remote code execution (RCE) on the victim's machine. The issue carries a CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H), reflecting high impacts on confidentiality, integrity, and availability with low attack complexity over the network.

The official GitHub security advisory (GHSA-xv8m-365j-x6h2) for the OpenAgentPlatform/Dive repository confirms that updating to version 0.11.1 resolves the vulnerability by addressing the javascript: execution in the Mermaid renderer.

Notably, the vulnerability occurs in a desktop application tailored for LLM integrations, underscoring security risks in emerging AI-agent tools that handle dynamic content like diagrams. No public reports of real-world exploitation were available as of the CVE publication on 2025-12-19.

EU & UK References

Vulnerability details

Dive is an open-source MCP Host Desktop Application that enables integration with function-calling LLMs. A critical Stored Cross-Site Scripting (XSS) vulnerability exists in versions prior to 0.11.1 in the Mermaid diagram rendering component. The application allows the execution of arbitrary…

more

JavaScript via `javascript:`. An attacker can exploit this to inject a malicious Model Context Protocol (MCP) server configuration, leading to Remote Code Execution (RCE) on the victim's machine when the node is clicked. Version 0.11.1 fixes the issue.

CWE(s)

AI Security AnalysisAI

AI Category
AI Agent Protocols and Integrations
Risk Domain
Protocol-Specific Risks
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: llms, mcp, model context protocol

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
Why these techniques?

The stored XSS vulnerability in the Mermaid diagram rendering enables arbitrary JavaScript execution via javascript: URIs in MCP configurations, leading to RCE upon clicking a node, facilitating client-side exploitation (T1203) and abuse of JavaScript as a command interpreter (T1059.007).

CVEs Like This One

CVE-2025-58176Same product: Openagentplatform Dive
CVE-2026-23523Same product: Openagentplatform Dive
CVE-2025-66222Shared CWE-79, CWE-94
CVE-2026-34585Shared CWE-79, CWE-94
CVE-2026-34725Shared CWE-79, CWE-94
CVE-2026-34448Shared CWE-79, CWE-94
CVE-2026-42090Shared CWE-79, CWE-94
CVE-2025-58768Shared CWE-79, CWE-94
CVE-2025-66562Shared CWE-79, CWE-94
CVE-2026-33941Shared CWE-79, CWE-94

Affected Assets

openagentplatform
dive
≤ 0.11.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely installation of the version 0.11.1 patch directly resolves the javascript: execution flaw in the Mermaid renderer.

prevent

Filters information output in the Mermaid diagram rendering component to block javascript: protocols and prevent stored XSS execution.

prevent

Prohibits or restricts JavaScript mobile code execution in the diagram renderer, mitigating arbitrary JS from malicious MCP configurations.

References