CVE-2025-58768

CRITICAL
Published Sep 9, 2025 Modified Sep 18, 2025 CWE-94 CWE-79

Description

DeepChat is a smart assistant uses artificial intelligence. Prior to version 0.3.5, in the Mermaid chart rendering component, there is a risky operation of directly using `innerHTML` to set user content. Therefore, any malicious content rendered via Mermaid will directly trigger the exploit chain, leading to command execution. This vulnerability is primarily caused by a failure to fully address the existing XSS issue in the project, leading to another exploit chain. The exploit chain is consistent with the report GHSA-hqr4-4gfc-5p2j, executing arbitrary JavaScript code via XSS and arbitrary commands via exposed IPC. Version 0.3.5 contains an updated fix.

CVSS v3.1 Score

9.6
CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Weakness Type (CWE)

CWE-94 CWE-94
CWE-79 Cross-site Scripting (XSS)

Affected Products

Vendor Product
thinkinai deepchat

References

Frequently Asked Questions

What is CVE-2025-58768? +
DeepChat is a smart assistant uses artificial intelligence. Prior to version 0.3.5, in the Mermaid chart rendering component, there is a risky operation of directly using `innerHTML` to set user content. Therefore, any malicious content rendered via Mermaid will directly trigger the exploit chain, leading to command execution. This vulnerability is primarily caused by a failure to fully address the existing XSS issue in the project, leading to another exploit chain. The exploit chain is consistent with the report GHSA-hqr4-4gfc-5p2j, executing arbitrary JavaScript code via XSS and arbitrary commands via exposed IPC. Version 0.3.5 contains an updated fix. It has a CVSS v3.1 base score of 9.6 (CRITICAL).
How severe is CVE-2025-58768? +
CVE-2025-58768 has a CVSS v3.1 score of 9.6 out of 10, rated CRITICAL. This is a critical vulnerability that should be patched immediately.
What products are affected by CVE-2025-58768? +
CVE-2025-58768 affects products from thinkinai, specifically: deepchat. Check the affected products table above for specific version ranges.
How do I check if I'm vulnerable to CVE-2025-58768? +
You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.

Related Vulnerabilities

Don't wait for an exploit

Scan your website for vulnerabilities like CVE-2025-58768 — free, no signup required.

Start Free Scan