Skip to main content

Node.js EUVDEUVD-2024-54618

| CVE-2024-57783 HIGH
Cross-site Scripting (XSS) (CWE-79)
2025-06-02 cve@mitre.org
8.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.1 HIGH
AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Mar 14, 2026 - 16:47 euvd
EUVD-2024-54618
Analysis Generated
Mar 14, 2026 - 16:47 vuln.today
CVE Published
Jun 02, 2025 - 14:15 nvd
HIGH 8.1

DescriptionCVE.org

The desktop application in Dot through 0.9.3 allows XSS and resultant command execution because user input and LLM output are appended to the DOM with innerHTML (in render.js), and because the Electron window can access Node.js APIs.

AnalysisAI

Cross-site scripting (XSS) vulnerability in Dot desktop application (versions through 0.9.3) that allows unauthenticated local attackers to execute arbitrary commands with high complexity due to unsafe DOM manipulation via innerHTML. The vulnerability chains user input and LLM output directly into the DOM without sanitization, combined with Electron's Node.js API access, enabling command execution. This is a local attack vector with high impact on confidentiality, integrity, and availability.

Technical ContextAI

The vulnerability exists in render.js where both user-supplied input and Large Language Model (LLM) generated output are directly appended to the DOM using the innerHTML property. This violates secure coding practices for XSS prevention (CWE-79: Improper Neutralization of Input During Web Page Generation). The root cause is the absence of input validation, output encoding, and Content Security Policy (CSP) enforcement. The Electron framework, while providing cross-platform desktop capabilities, compounds the risk by enabling renderer processes to access Node.js APIs (require statements, child_process module), which transforms what would be a traditional web XSS into a local code execution vulnerability. The attack surface includes any user input fields that feed LLM prompts and any LLM responses rendered to the UI. CPE for affected product: cpe:2.3:a:dot:dot:*:*:*:*:*:*:*:* (versions <= 0.9.3).

RemediationAI

Upgrade to Dot version 0.9.4 or later (specific patch version not disclosed in CVE; check official Dot GitHub repository or releases page); priority: Critical Code-Level Mitigation: Replace innerHTML usage with textContent or innerText for user-controlled and LLM output data in render.js. If HTML rendering is required, use a safe HTML sanitization library such as DOMPurify or xss.js with strict allowlists. Security Hardening: Implement Content Security Policy (CSP) headers in Electron webPreferences to disable inline scripts and restrict script sources. Set sandbox: true and disable nodeIntegration in BrowserWindow configuration. Architecture Change: Separate renderer process from main process by using preload scripts and IPC (inter-process communication) rather than direct Node.js API access from renderer. This limits privilege escalation from XSS. Input Validation: Implement strict input validation and sanitization on all user-supplied data before rendering. Use allowlists for expected input formats. Workaround: If immediate patching is not possible, avoid processing untrusted or adversarial LLM outputs and disable features that accept complex user input in Dot until patched.

CVE-2024-55591 CRITICAL POC
9.8 Jan 14

FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote

CVE-2014-7205 CRITICAL POC
10.0 Oct 08

Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t

CVE-2025-59528 CRITICAL POC
10.0 Sep 22

Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete

CVE-2017-14849 HIGH POC
7.5 Sep 28

Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc

CVE-2017-5941 CRITICAL POC
9.8 Feb 09

An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner

CVE-2014-3744 HIGH POC
7.5 Oct 23

Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi

CVE-2014-9566 HIGH POC
7.5 Mar 10

Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin

CVE-2013-4660 MEDIUM POC
6.8 Jun 28

The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic

CVE-2015-5688 MEDIUM POC
5.0 Sep 04

Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2014-7192 CRITICAL POC
10.0 Dec 11

Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat

CVE-2013-4450 MEDIUM POC
5.0 Oct 21

The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se

Share

EUVD-2024-54618 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy