CVE-2025-67744 – DeepChat versions before 0.5.3 contain a critic... (How to Fix)

Q: What is the severity of CVE-2025-67744?

CVE-2025-67744 has a CVSS score of 9.6 (CRITICAL). DeepChat versions before 0.5.3 contain a critical vulnerability where unsafe Mermaid diagram rendering allows arbitrary JavaScript execution. This XSS flaw escalates to full remote code execution due to exposed Electron IPC interfaces, enabling attackers to execute system commands. All users running vulnerable DeepChat instances are affected.

📋 TL;DR

DeepChat versions before 0.5.3 contain a critical vulnerability where unsafe Mermaid diagram rendering allows arbitrary JavaScript execution. This XSS flaw escalates to full remote code execution due to exposed Electron IPC interfaces, enabling attackers to execute system commands. All users running vulnerable DeepChat instances are affected.

💻 Affected Systems

Products:

DeepChat

Versions: All versions before 0.5.3

Operating Systems: All platforms where DeepChat runs

Default Config Vulnerable: ⚠️ Yes

Notes: Any DeepChat instance with Mermaid diagram rendering enabled is vulnerable.

📦 What is this software?

Deepchat by Thinkinai

View all CVEs affecting Deepchat →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attacker to execute arbitrary commands, steal data, install malware, or pivot to other systems.

🟠

Likely Case

Attacker gains remote code execution on the DeepChat server, potentially accessing sensitive AI models, user data, and system resources.

🟢

If Mitigated

If proper network segmentation and least privilege are implemented, impact may be limited to the DeepChat application and its data.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires crafting malicious Mermaid diagrams but does not require authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.5.3

Vendor Advisory: https://github.com/ThinkInAIXYZ/deepchat/security/advisories/GHSA-w8w8-82pv-5rg9

Restart Required: Yes

Instructions:

1. Stop DeepChat service. 2. Update to version 0.5.3 using package manager or manual installation. 3. Restart DeepChat service.

🔧 Temporary Workarounds

Disable Mermaid rendering

all

Temporarily disable Mermaid diagram rendering functionality

Modify DeepChat configuration to disable Mermaid diagram support

Network isolation

all

Restrict network access to DeepChat instances

Configure firewall rules to limit access to trusted IPs only

🧯 If You Can't Patch

Isolate DeepChat instances on separate network segments with strict firewall rules
Implement web application firewall (WAF) rules to block suspicious Mermaid content

🔍 How to Verify

Check if Vulnerable:

Check DeepChat version - if version is below 0.5.3, system is vulnerable

Check Version:

Check DeepChat configuration file or run: deepchat --version

Verify Fix Applied:

Verify DeepChat version is 0.5.3 or higher after update

📡 Detection & Monitoring

Log Indicators:

Unusual Mermaid diagram rendering requests
Suspicious JavaScript execution in logs
Unexpected system command execution

Network Indicators:

Unusual outbound connections from DeepChat server
Traffic patterns suggesting command and control

SIEM Query:

source="deepchat" AND (mermaid OR diagram) AND (javascript OR eval OR exec)

📊 Metadata

CVE ID: CVE-2025-67744

CVSS v3 Score: 9.6 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CWE: CWE-94

EPSS Score: 0.23% exploit probability (45.8th percentile)

Published: December 16, 2025

Last Updated: January 2, 2026

🔗 References

https://github.com/ThinkInAIXYZ/deepchat/commit/b179d97921af04a0ae1ae68757338dd8b8cbefe7 Patch
https://github.com/ThinkInAIXYZ/deepchat/security/advisories/GHSA-w8w8-82pv-5rg9 Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-67744, you might also want to check these: