CVE-2025-66562
BaseFortify
Publication date: 2025-12-05
Last updated on: 2026-03-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| aiql | tuui | to 1.3.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the installed version of Tuui is prior to 1.3.4, as versions before this contain the unsafe Markdown rendering component with ECharts code block execution and exposed IPC interface. You can verify the Tuui version by running a command like `tuui --version` or checking the package.json file for the version number. Additionally, inspecting the Content Security Policy (CSP) in the `src/renderer/index.html` file for the presence of `'unsafe-eval'` in the `script-src` directive can indicate vulnerability. There are no specific network detection commands provided, but monitoring for the rendering of Markdown messages containing ECharts code blocks or IPC calls that spawn processes could help identify exploitation attempts. Since the vulnerability requires user interaction to trigger, reviewing logs for suspicious IPC invocations or unexpected child process spawns related to Tuui may also help detect exploitation. [1]
Can you explain this vulnerability to me?
This vulnerability is a critical Remote Code Execution (RCE) flaw in TUUI, a desktop MCP client, caused by an unsafe Cross-Site Scripting (XSS) issue in its Markdown rendering component. Specifically, TUUI allows execution of arbitrary JavaScript within ECharts code blocks. Because TUUI also has an exposed Inter-Process Communication (IPC) interface that can spawn processes, an attacker can execute arbitrary system commands on the victim's machine simply by having them view a malicious Markdown message. This vulnerability was fixed in version 1.3.4.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to execute arbitrary system commands on your machine remotely if you view a malicious Markdown message in TUUI. This could lead to full system compromise, unauthorized access, data theft, or other malicious activities depending on the attacker's intent and the system's security context.
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to upgrade TUUI to version 1.3.4 or later, where the critical Remote Code Execution vulnerability due to unsafe Cross-Site Scripting in the Markdown rendering component has been fixed.