CVE-2025-58768: 
Homebrew vulnerability analysis and mitigation

CVE-2025-58768 affects DeepChat, a smart assistant that uses artificial intelligence, prior to version 0.3.5. The vulnerability was discovered on September 9, 2025, and involves a cross-site scripting (XSS) vulnerability in the Mermaid chart rendering component that can lead to remote code execution (RCE). The issue stems from the direct use of innerHTML to set user content, which failed to properly address a previously identified XSS vulnerability (GitHub Advisory).

The vulnerability exists in the Mermaid chart rendering component within the file src/renderer/src/components/artifacts/MermaidArtifact.vue. The component directly uses innerHTML to set user content without proper sanitization, allowing malicious content to be rendered via Mermaid charts. The vulnerability has received a CVSS v3.1 base score of 9.6 CRITICAL with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H. The weakness is classified as CWE-94 (Improper Control of Generation of Code) and CWE-79 (Cross-site Scripting) (GitHub Advisory, NVD).

The vulnerability allows attackers to execute arbitrary code on the user's computer through the exploit chain. When malicious content is rendered via Mermaid charts, it can trigger command execution, potentially leading to full system compromise. The impact is particularly severe as it affects confidentiality, integrity, and availability at the highest levels (GitHub Advisory).

The vulnerability has been patched in version 0.3.5 of DeepChat. Users are strongly advised to upgrade to this version or later to address the security issue (GitHub Advisory, NVD).