CVE-2025-66222

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-66222
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-66222.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-66222
Aliases
  • GHSA-v8v5-c872-mf8r
Published
2025-12-03T18:34:44.019Z
Modified
2026-03-01T02:54:41.753559Z
Severity
  • 9.6 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H CVSS Calculator
Summary
DeepChat Cross-Site Scripting(XSS) escalate to Remote Code Execution(RCE)
Details

DeepChat is a smart assistant uses artificial intelligence. In 0.5.0 and earlier, there is a Stored Cross-Site Scripting (XSS) vulnerability in the Mermaid diagram renderer allows an attacker to execute arbitrary JavaScript within the application context. By leveraging the exposed Electron IPC bridge, this XSS can be escalated to Remote Code Execution (RCE) by registering and starting a malicious MCP (Model Context Protocol) server.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/66xxx/CVE-2025-66222.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-94"
    ]
}
References

Affected packages

Git / github.com/thinkinaixyz/deepchat

Affected ranges

Type
GIT
Repo
https://github.com/thinkinaixyz/deepchat
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
f1c7dde3702de8f0ded9309260747927f6645831

Affected versions

v0.*
v0.0.1
v0.0.10
v0.0.11
v0.0.12
v0.0.13
v0.0.14
v0.0.15
v0.0.16
v0.0.2
v0.0.3
v0.0.5
v0.0.6
v0.0.7
v0.0.9
v0.1.0
v0.1.1
v0.2.0
v0.2.0-1
v0.2.1
v0.2.2
v0.2.3
v0.2.3-1
v0.2.4
v0.2.5
v0.2.6
v0.2.7
v0.2.8
v0.2.9
v0.3.0
v0.3.1
v0.3.2
v0.3.3
v0.3.4
v0.3.5
v0.3.6
v0.3.7
v0.3.9
v0.4.0
v0.4.1
v0.4.2
v0.4.3
v0.4.5
v0.4.6
v0.4.8
v0.4.9
Other
workflow-19022687016

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-66222.json"