CVE-2025-58768
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-09

Last updated on: 2025-09-18

Assigner: GitHub, Inc.

Description
DeepChat is a smart assistant uses artificial intelligence. Prior to version 0.3.5, in the Mermaid chart rendering component, there is a risky operation of directly using `innerHTML` to set user content. Therefore, any malicious content rendered via Mermaid will directly trigger the exploit chain, leading to command execution. This vulnerability is primarily caused by a failure to fully address the existing XSS issue in the project, leading to another exploit chain. The exploit chain is consistent with the report GHSA-hqr4-4gfc-5p2j, executing arbitrary JavaScript code via XSS and arbitrary commands via exposed IPC. Version 0.3.5 contains an updated fix.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-09
Last Modified
2025-09-18
Generated
2026-06-16
AI Q&A
2025-09-09
EPSS Evaluated
2026-06-14
NVD
CVE-2025-58768
EUVD
EUVD-2025-27502
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
thinkinai deepchat to 0.3.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-58768 is a critical vulnerability in the Mermaid chart rendering component of DeepChat (versions up to 0.3.4). The issue arises because the component directly assigns user-supplied content to innerHTML without proper sanitization, leading to a persistent cross-site scripting (XSS) vulnerability. This allows attackers to inject malicious JavaScript into Mermaid charts, which can execute arbitrary code on the user's machine via Electron's IPC interface. The exploit can be triggered by user interaction (like clicking) or immediately upon rendering, enabling command execution such as launching system applications. [1]

Impact Analysis

This vulnerability can have severe impacts including remote code execution on the affected system. An attacker can execute arbitrary commands with the privileges of the application, potentially leading to full data compromise, unauthorized data modification, and disruption of system availability. Because the vulnerability allows execution of system commands via Electron IPC, it can be used to run malicious software, steal sensitive information, or disrupt normal operations. [1]

Detection Guidance

This vulnerability can be detected by inspecting Mermaid chart content for malicious JavaScript injections, especially looking for suspicious inline JavaScript URIs or image tags with event handlers like 'onerror' embedded in Mermaid syntax. Since the exploit involves Electron IPC calls triggered by rendering or clicking, monitoring Electron IPC invocations for unusual commands such as 'calc.exe' execution attempts can help detect exploitation. Specific commands are not provided in the resources, but reviewing Mermaid chart source code for unsafe 'innerHTML' usage or scanning for suspicious Mermaid nodes with inline JavaScript can be effective. [1]

Mitigation Strategies

The immediate mitigation step is to upgrade DeepChat to version 0.3.5 or later, where the vulnerability has been fixed by properly sanitizing user content before assigning it to 'innerHTML' in the Mermaid chart rendering component. Avoid rendering untrusted Mermaid chart content until the update is applied. Additionally, restrict user input that can be rendered as Mermaid charts and monitor for suspicious IPC calls in Electron. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-58768. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart