An unauthenticated attacker can execute arbitrary JavaScript in the context of a user's browser by exploiting a sanitization bypass in DeepChat’s SVG handling.

This is a Cross-Site Scripting (XSS) vulnerability caused by the failure to decode HTML entities before rendering SVG elements. An unauthenticated attacker can inject obfuscated JavaScript protocols that bypass the SVGSanitizer to execute code in the victim's browser session.

Successful exploitation allows attackers to steal session cookies, perform actions on behalf of the user, or redirect users to malicious sites. Given the 9.3 CVSS score, this represents a severe risk to user data integrity and platform trust.

Immediate Action: Upgrade DeepChat to version 1.0.4-beta.1 or later immediately.

Proactive Monitoring: Monitor browser-side error logs for unexpected script execution attempts and inspect user-submitted SVG content for suspicious HTML entities.

Compensating Controls: Implement a strict Content Security Policy (CSP) to restrict the execution of inline scripts and prevent unauthorized external resource loading.

Public Exploit Available: false

The vulnerability presents a high risk of browser-based attacks. Organizations should prioritize patching to version 1.0.4-beta.1 to eliminate the sanitization flaw and protect users from credential theft and session hijacking.