CVE-2025-58768
DeepChat · DeepChat
DeepChat prior to 0.3.5 is vulnerable to a cross-site scripting (XSS) attack due to improper sanitization of user content in the Mermaid chart rendering component.
Executive summary
A critical vulnerability in the DeepChat Mermaid chart rendering component allows for code injection via improper innerHTML usage, posing a risk of malicious script execution.
Vulnerability
The vulnerability stems from the use of innerHTML to render user-provided content within the Mermaid chart component. This lack of sanitization allows an attacker to inject malicious scripts that execute in the context of the victim's browser.
Business impact
The CVSS score of 9.6 highlights the critical nature of this flaw, as it facilitates cross-site scripting (XSS). This could lead to the theft of session cookies, unauthorized access to user accounts, or the redirection of users to malicious third-party websites, causing significant reputational and operational damage.
Remediation
Immediate Action: Upgrade DeepChat to version 0.3.5 or the latest available release to ensure the innerHTML vulnerability is mitigated.
Proactive Monitoring: Monitor browser-side security logs and implement Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts.
Compensating Controls: Utilize a WAF to inspect and filter incoming data for suspicious script tags, particularly those intended for rendering in chart components.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
The vulnerability allows for trivial script injection, which is a major security concern for any user-facing application. Developers must upgrade to version 0.3.5 immediately to replace the insecure rendering logic with a safer alternative.