CVE-2024-57783

| EUVD-2024-54618 HIGH
2025-06-02 [email protected]
8.1
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 14, 2026 - 16:47 vuln.today
EUVD ID Assigned
Mar 14, 2026 - 16:47 euvd
EUVD-2024-54618
CVE Published
Jun 02, 2025 - 14:15 nvd
HIGH 8.1

Tags

Node.js XSS

Description

The desktop application in Dot through 0.9.3 allows XSS and resultant command execution because user input and LLM output are appended to the DOM with innerHTML (in render.js), and because the Electron window can access Node.js APIs.

Analysis

Cross-site scripting (XSS) vulnerability in Dot desktop application (versions through 0.9.3) that allows unauthenticated local attackers to execute arbitrary commands with high complexity due to unsafe DOM manipulation via innerHTML. The vulnerability chains user input and LLM output directly into the DOM without sanitization, combined with Electron's Node.js API access, enabling command execution. This is a local attack vector with high impact on confidentiality, integrity, and availability.

Technical Context

The vulnerability exists in render.js where both user-supplied input and Large Language Model (LLM) generated output are directly appended to the DOM using the innerHTML property. This violates secure coding practices for XSS prevention (CWE-79: Improper Neutralization of Input During Web Page Generation). The root cause is the absence of input validation, output encoding, and Content Security Policy (CSP) enforcement. The Electron framework, while providing cross-platform desktop capabilities, compounds the risk by enabling renderer processes to access Node.js APIs (require statements, child_process module), which transforms what would be a traditional web XSS into a local code execution vulnerability. The attack surface includes any user input fields that feed LLM prompts and any LLM responses rendered to the UI. CPE for affected product: cpe:2.3:a:dot:dot:*:*:*:*:*:*:*:* (versions <= 0.9.3).

Affected Products

Dot (0.9.3 and earlier)

Remediation

Upgrade to Dot version 0.9.4 or later (specific patch version not disclosed in CVE; check official Dot GitHub repository or releases page); priority: Critical Code-Level Mitigation: Replace innerHTML usage with textContent or innerText for user-controlled and LLM output data in render.js. If HTML rendering is required, use a safe HTML sanitization library such as DOMPurify or xss.js with strict allowlists. Security Hardening: Implement Content Security Policy (CSP) headers in Electron webPreferences to disable inline scripts and restrict script sources. Set sandbox: true and disable nodeIntegration in BrowserWindow configuration. Architecture Change: Separate renderer process from main process by using preload scripts and IPC (inter-process communication) rather than direct Node.js API access from renderer. This limits privilege escalation from XSS. Input Validation: Implement strict input validation and sanitization on all user-supplied data before rendering. Use allowlists for expected input formats. Workaround: If immediate patching is not possible, avoid processing untrusted or adversarial LLM outputs and disable features that accept complex user input in Dot until patched.

Priority Score

41
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +40
POC: 0

Share

CVE-2024-57783 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy