A critical vulnerability has been discovered in the Dive open-source MCP Host Desktop Application, which could allow an attacker to take complete control of a victim's computer. The flaw resides in the diagram rendering component and can be exploited by tricking a user into viewing a specially crafted diagram, leading to remote code execution. Immediate patching is required to mitigate this severe risk.

The vulnerability is a Stored Cross-Site Scripting (XSS) flaw within the Mermaid diagram rendering component of the Dive application. An attacker can create a Mermaid diagram containing a malicious JavaScript payload using the javascript: URI scheme. When a victim views or interacts with this stored diagram, the embedded JavaScript executes in the context of the application. This script can then be used to silently inject a malicious Model Context Protocol (MCP) server configuration. The attack culminates when the user clicks on a node within the malicious diagram, which triggers the compromised MCP configuration and leads to Remote Code Execution (RCE) on the user's system.

This vulnerability is rated as critical with a CVSS score of 9.6, posing a severe threat to the organization. Successful exploitation allows an attacker to execute arbitrary code on an affected user's machine, granting them the same level of access as the user. Potential consequences include the theft of sensitive data, deployment of ransomware, installation of persistent backdoors, and the ability to pivot further into the corporate network. The direct impact on business operations could be catastrophic, leading to significant financial loss, reputational damage, and regulatory penalties.

Immediate Action: Immediately identify all instances of the Dive application and upgrade them to version 0.11.1 or later, which contains the fix for this vulnerability. Following the update, review application and system logs for any signs of compromise or exploitation attempts that may have occurred prior to patching.

Proactive Monitoring: Implement enhanced monitoring on systems running the Dive application. Specifically, monitor for unusual or unauthorized changes to MCP server configurations, unexpected outbound network connections originating from the Dive application process, and logs indicating the rendering of Mermaid diagrams containing javascript: payloads.

Compensating Controls: If immediate patching is not feasible, consider implementing the following controls as a temporary measure:

• Disable the Mermaid diagram rendering feature if possible within the application's configuration.
• Use application control or whitelisting solutions to prevent the Dive application from spawning untrusted child processes (e.g., command shells, PowerShell).
• Enforce strict network egress filtering to block connections from user workstations to unknown or malicious IP addresses, which could prevent an attacker's command-and-control communication.

Public Exploit Available: false

Due to the critical severity (CVSS 9.6) and the risk of Remote Code Execution, it is imperative that organizations prioritize the immediate remediation of this vulnerability. All systems running vulnerable versions of the Dive application should be updated to version 0.11.1 or newer without delay. Although this CVE is not currently listed on the CISA KEV catalog, its high impact makes it a prime candidate for future inclusion and an attractive target for attackers. Immediate action is the most effective way to prevent a potentially devastating security breach.