CVE-2025-66562
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-05

Last updated on: 2026-03-17

Assigner: GitHub, Inc.

Description
TUUI is a desktop MCP client designed as a tool unitary utility integration. Prior to 1.3.4, a critical Remote Code Execution (RCE) vulnerability exists in Tuui due to an unsafe Cross-Site Scripting (XSS) flaw in the Markdown rendering component. Tuui allows the execution of arbitrary JavaScript within ECharts code blocks. Combined with an exposed IPC interface that allows spawning processes, an attacker can execute arbitrary system commands on the victim's machine simply by having them view a malicious Markdown message. This vulnerability is fixed in 1.3.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-05
Last Modified
2026-03-17
Generated
2026-06-16
AI Q&A
2025-12-05
EPSS Evaluated
2026-06-15
NVD
CVE-2025-66562
EUVD
EUVD-2025-201459
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
aiql tuui to 1.3.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a critical Remote Code Execution (RCE) flaw in TUUI, a desktop MCP client, caused by an unsafe Cross-Site Scripting (XSS) issue in its Markdown rendering component. Specifically, TUUI allows execution of arbitrary JavaScript within ECharts code blocks. Because TUUI also has an exposed Inter-Process Communication (IPC) interface that can spawn processes, an attacker can execute arbitrary system commands on the victim's machine simply by having them view a malicious Markdown message. This vulnerability was fixed in version 1.3.4.

Impact Analysis

This vulnerability can allow an attacker to execute arbitrary system commands on your machine remotely if you view a malicious Markdown message in TUUI. This could lead to full system compromise, unauthorized access, data theft, or other malicious activities depending on the attacker's intent and the system's security context.

Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade TUUI to version 1.3.4 or later, where the critical Remote Code Execution vulnerability due to unsafe Cross-Site Scripting in the Markdown rendering component has been fixed.

Detection Guidance

This vulnerability can be detected by checking if the installed version of Tuui is prior to 1.3.4, as versions before this contain the unsafe Markdown rendering component with ECharts code block execution and exposed IPC interface. You can verify the Tuui version by running a command like `tuui --version` or checking the package.json file for the version number. Additionally, inspecting the Content Security Policy (CSP) in the `src/renderer/index.html` file for the presence of `'unsafe-eval'` in the `script-src` directive can indicate vulnerability. There are no specific network detection commands provided, but monitoring for the rendering of Markdown messages containing ECharts code blocks or IPC calls that spawn processes could help identify exploitation attempts. Since the vulnerability requires user interaction to trigger, reviewing logs for suspicious IPC invocations or unexpected child process spawns related to Tuui may also help detect exploitation. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-66562. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart