5ire Chat Message XSS Vulnerability Enables Remote Code Execution

9.7 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Description

5ire is a cross-platform desktop artificial intelligence assistant and model context protocol client. Version 0.13.2 contains a vulnerability in the chat page's script gadgets that enables content injection attacks through multiple vectors: malicious prompt injection pages, compromised MCP servers, and exploited tool integrations. This is fixed in version 0.14.0.

AI Analysis

A vulnerability in the chat page's script gadgets of 5ire AI assistant allows content injection attacks via malicious prompt injection pages, compromised MCP servers, and exploited tool integrations.

Basic Information

ID CVE-2025-58357

Source GitHub_M

Published Sep 4, 2025 at 00:30

Affected Product

Vendor nanbingxyz

Product 5ire

Version >= 0.13.2, < 0.14.0

Affected Versions nanbingxyz 5ire >= 0.13.2, < 0.14.0

CWE Classification

CWE-79

AI Assessment

AI Score 9.7 / 10

AI Severity CRITICAL

Vendor nanbingxyz

Product 5ire

Version 0.13.2

References

{
    "lastseen": "",
    "description": "5ire is a cross-platform desktop artificial intelligence assistant and model context protocol client. Version 0.13.2 contains a vulnerability in the chat page's script gadgets that enables content injection attacks through multiple vectors: malicious prompt injection pages, compromised MCP servers, and exploited tool integrations. This is fixed in version 0.14.0.",
    "published": "2025-09-04T00:30:09.292Z",
    "modified": "2025-09-04T00:30:09.292Z",
    "type": "cve",
    "title": "5ire Chat Message XSS Vulnerability Enables Remote Code Execution",
    "source": "GitHub_M",
    "references": "https://github.com/nanbingxyz/5ire/security/advisories/GHSA-8527-3cch-95gf\nhttps://github.com/nanbingxyz/5ire/releases/tag/v0.14.0",
    "id": "CVE-2025-58357",
    "bulletinFamily": "",
    "cwe": [
        "CWE-79"
    ],
    "cvelist": null,
    "sourceData": "nanbingxyz 5ire >= 0.13.2, < 0.14.0",
    "sourceHref": "",
    "cvss": {
        "score": 9.7,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "5ire",
    "version": ">= 0.13.2, < 0.14.0",
    "vendor": "nanbingxyz",
    "ai_description": "A vulnerability in the chat page's script gadgets of 5ire AI assistant allows content injection attacks via malicious prompt injection pages, compromised MCP servers, and exploited tool integrations.",
    "ai_severity": "CRITICAL",
    "ai_vendor": "nanbingxyz",
    "ai_product": "5ire",
    "ai_version": "0.13.2",
    "ai_score": 9.7
}

5ire Chat Message XSS Vulnerability Enables Remote Code Execution_CVE-2025-58357