Skip to main content

AIRI CVE-2025-59053

CRITICAL
Code Injection (CWE-94)
2025-09-11 security-advisories@github.com
9.6
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.6 CRITICAL
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Mar 28, 2026 - 19:11 vuln.today
CVE Published
Sep 11, 2025 - 19:15 nvd
CRITICAL 9.6

DescriptionGitHub Advisory

AIRI is a self-hosted, artificial intelligence based Grok Companion. In v0.7.2-beta.2 in the packages/stage-ui/src/components/MarkdownRenderer.vue path, the Markdown content is processed using the useMarkdown composable, and the processed HTML is rendered directly into the DOM using v-html. An attacker creates a card file containing malicious HTML/JavaScript, then simply processes it using the highlightTagToHtml function (which simply replaces template tags without HTML escaping), and then directly renders it using v-html, leading to cross-site scripting (XSS). The project also exposes the Tauri API, which can be called from the frontend. The MCP plugin exposes a command execution interface function in crates/tauri-plugin-mcp/src/lib.rs. This allows arbitrary command execution. connect_server directly passes the user-supplied command and args parameters to Command::new(command).args(args) without any input validation or whitelisting. Thus, the previous XSS exploit could achieve command execution through this interface. v0.7.2-beta.3 fixes the issue.

AnalysisAI

AIRI is a self-hosted, artificial intelligence based Grok Companion. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Code Injection (CWE-94), which allows attackers to inject and execute arbitrary code within the application. AIRI is a self-hosted, artificial intelligence based Grok Companion. In v0.7.2-beta.2 in the packages/stage-ui/src/components/MarkdownRenderer.vue path, the Markdown content is processed using the useMarkdown composable, and the processed HTML is rendered directly into the DOM using v-html. An attacker creates a card file containing malicious HTML/JavaScript, then simply processes it using the highlightTagToHtml function (which simply replaces template tags without HTML escaping), and then directly renders it using v-html, leading to cross-site scripting (XSS). The project also exposes the Tauri API, which can be called from the frontend. The MCP plugin exposes a command execution interface function in crates/tauri-plugin-mcp/src/lib.rs. This allows arbitrary command execution. connect_server directly passes the user-supplied command and args parameters to Command::new(command).args(args) without any input validation or whitelisting. Thus, the previous XSS exploit could achieve command execution through this interface. v0.7.2-beta.3 fixes the issue.

Affected ProductsAI

See vendor advisory for affected versions.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Never evaluate user-controlled input as code. Use sandboxing, disable dangerous functions, apply strict input validation.

Share

CVE-2025-59053 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy