{"id":"CVE-2025-59053","summary":"AIRI's character card/chat UI is vulnerable to XSS and can lead to RCE","details":"AIRI is a self-hosted, artificial intelligence based Grok Companion. In v0.7.2-beta.2 in the `packages/stage-ui/src/components/MarkdownRenderer.vue` path, the Markdown content is processed using the useMarkdown composable, and the processed HTML is rendered directly into the DOM using v-html. An attacker creates a card file containing malicious HTML/JavaScript, then simply processes it using the highlightTagToHtml function (which simply replaces template tags without HTML escaping), and then directly renders it using v-html, leading to cross-site scripting (XSS). The project also exposes the Tauri API, which can be called from the frontend. The MCP plugin exposes a command execution interface function in `crates/tauri-plugin-mcp/src/lib.rs`. This allows arbitrary command execution. `connect_server` directly passes the user-supplied `command` and `args` parameters to `Command::new(command).args(args)` without any input validation or whitelisting. Thus, the previous XSS exploit could achieve command execution through this interface. v0.7.2-beta.3 fixes the issue.","aliases":["GHSA-9832-f8jx-hw6f"],"modified":"2026-04-10T05:33:18.902808Z","published":"2025-09-11T18:26:52.485Z","database_specific":{"cwe_ids":["CWE-94"],"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/59xxx/CVE-2025-59053.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/59xxx/CVE-2025-59053.json"},{"type":"ADVISORY","url":"https://github.com/moeru-ai/airi/security/advisories/GHSA-9832-f8jx-hw6f"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-59053"},{"type":"FIX","url":"https://github.com/moeru-ai/airi/commit/3315634903c9102a19e8f0476970df01801c8ca4"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/moeru-ai/airi","events":[{"introduced":"0"},{"fixed":"3315634903c9102a19e8f0476970df01801c8ca4"}]}],"versions":["v0.1.0","v0.1.1","v0.1.2","v0.1.3","v0.1.4","v0.1.5","v0.2.0","v0.3.0","v0.3.1","v0.3.2","v0.3.3","v0.3.4","v0.3.5","v0.3.6","v0.4.0","v0.4.1","v0.4.10","v0.4.11","v0.4.12","v0.4.13","v0.4.14","v0.4.15","v0.4.16","v0.4.17","v0.4.2","v0.4.21","v0.4.22","v0.4.23","v0.4.24","v0.4.25","v0.4.26","v0.4.26-beta.1","v0.4.26-beta.2","v0.4.26-beta.3","v0.4.27","v0.4.3","v0.4.4","v0.4.5","v0.4.6","v0.4.7","v0.4.8","v0.4.9","v0.5.0","v0.6.0","v0.6.1","v0.7.0","v0.7.0-alpha.1","v0.7.0-beta.1","v0.7.1","v0.7.2-beta.1","v0.7.2-beta.2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-59053.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"}]}