CVE-2025-47777

Source
https://cve.org/CVERecord?id=CVE-2025-47777
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-47777.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-47777
Aliases
  • GHSA-mr8w-mmvv-6hq8
Published
2025-05-14T15:23:28.565Z
Modified
2026-04-10T05:27:32.637082Z
Severity
  • 9.6 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H CVSS Calculator
Summary
5ire Client Vulnerable to Cross-Site Scripting (XSS) and Remote Code Execution (RCE)
Details

5ire is a cross-platform desktop artificial intelligence assistant and model context protocol client. Versions prior to 0.11.1 are vulnerable to stored cross-site scripting in chatbot responses due to insufficient sanitization. This, in turn, can lead to Remote Code Execution (RCE) via unsafe Electron protocol handling and exposed Electron APIs. All users of 5ire client versions prior to patched releases, particularly those interacting with untrusted chatbots or pasting external content, are affected. Version 0.11.1 contains a patch for the issue.

Database specific
{
    "cwe_ids": [
        "CWE-20",
        "CWE-79"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/47xxx/CVE-2025-47777.json"
}
References

Affected packages

Git / github.com/nanbingxyz/5ire

Affected ranges

Type
GIT
Repo
https://github.com/nanbingxyz/5ire
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

v0.*
v0.10.1
v0.11.0
v0.7.9
v0.8.0
v0.8.1
v0.8.3
v0.9.0
v0.9.1
v0.9.2
v0.9.3
v0.9.4
v0.9.5
v0.9.6
v0.9.7
v0.9.8
v0.9.9

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-47777.json"