Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2025-47777

Summary
Assigner-GitHub_M
Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa
Published At-14 May, 2025 | 15:23
Updated At-14 May, 2025 | 15:39
Rejected At-
Credits

5ire Client Vulnerable to Cross-Site Scripting (XSS) and Remote Code Execution (RCE)

5ire is a cross-platform desktop artificial intelligence assistant and model context protocol client. Versions prior to 0.11.1 are vulnerable to stored cross-site scripting in chatbot responses due to insufficient sanitization. This, in turn, can lead to Remote Code Execution (RCE) via unsafe Electron protocol handling and exposed Electron APIs. All users of 5ire client versions prior to patched releases, particularly those interacting with untrusted chatbots or pasting external content, are affected. Version 0.11.1 contains a patch for the issue.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:GitHub_M
Assigner Org ID:a0819718-46f1-4df5-94e2-005712e83aaa
Published At:14 May, 2025 | 15:23
Updated At:14 May, 2025 | 15:39
Rejected At:
▼CVE Numbering Authority (CNA)
5ire Client Vulnerable to Cross-Site Scripting (XSS) and Remote Code Execution (RCE)

5ire is a cross-platform desktop artificial intelligence assistant and model context protocol client. Versions prior to 0.11.1 are vulnerable to stored cross-site scripting in chatbot responses due to insufficient sanitization. This, in turn, can lead to Remote Code Execution (RCE) via unsafe Electron protocol handling and exposed Electron APIs. All users of 5ire client versions prior to patched releases, particularly those interacting with untrusted chatbots or pasting external content, are affected. Version 0.11.1 contains a patch for the issue.

Affected Products
Vendor
nanbingxyz
Product
5ire
Versions
Affected
  • < 0.11.1
Problem Types
TypeCWE IDDescription
CWECWE-20CWE-20: Improper Input Validation
CWECWE-79CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Type: CWE
CWE ID: CWE-20
Description: CWE-20: Improper Input Validation
Type: CWE
CWE ID: CWE-79
Description: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Metrics
VersionBase scoreBase severityVector
3.19.7CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Version: 3.1
Base score: 9.7
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/nanbingxyz/5ire/security/advisories/GHSA-mr8w-mmvv-6hq8
x_refsource_CONFIRM
https://github.com/nanbingxyz/5ire/commit/56601e012095194a4be0d4cb6da6b5b3cb53dea8
x_refsource_MISC
https://positive.security/blog/url-open-rce
x_refsource_MISC
https://shabarkin.notion.site/1-click-RCE-in-Electron-Applications-501c2e96e7934610979cd3c72e844a22
x_refsource_MISC
https://www.electronjs.org/docs/latest/tutorial/security
x_refsource_MISC
https://www.youtube.com/watch?v=ROFYhS9E9eU
x_refsource_MISC
Hyperlink: https://github.com/nanbingxyz/5ire/security/advisories/GHSA-mr8w-mmvv-6hq8
Resource:
x_refsource_CONFIRM
Hyperlink: https://github.com/nanbingxyz/5ire/commit/56601e012095194a4be0d4cb6da6b5b3cb53dea8
Resource:
x_refsource_MISC
Hyperlink: https://positive.security/blog/url-open-rce
Resource:
x_refsource_MISC
Hyperlink: https://shabarkin.notion.site/1-click-RCE-in-Electron-Applications-501c2e96e7934610979cd3c72e844a22
Resource:
x_refsource_MISC
Hyperlink: https://www.electronjs.org/docs/latest/tutorial/security
Resource:
x_refsource_MISC
Hyperlink: https://www.youtube.com/watch?v=ROFYhS9E9eU
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security-advisories@github.com
Published At:14 May, 2025 | 16:15
Updated At:22 Jan, 2026 | 21:26

5ire is a cross-platform desktop artificial intelligence assistant and model context protocol client. Versions prior to 0.11.1 are vulnerable to stored cross-site scripting in chatbot responses due to insufficient sanitization. This, in turn, can lead to Remote Code Execution (RCE) via unsafe Electron protocol handling and exposed Electron APIs. All users of 5ire client versions prior to patched releases, particularly those interacting with untrusted chatbots or pasting external content, are affected. Version 0.11.1 contains a patch for the issue.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.19.6CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Type: Secondary
Version: 3.1
Base score: 9.6
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CPE Matches
5ire
5ire
>>5ire>>Versions before 0.11.1(exclusive)
cpe:2.3:a:5ire:5ire:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-20Secondarysecurity-advisories@github.com
CWE-79Secondarysecurity-advisories@github.com
CWE ID: CWE-20
Type: Secondary
Source: security-advisories@github.com
CWE ID: CWE-79
Type: Secondary
Source: security-advisories@github.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/nanbingxyz/5ire/commit/56601e012095194a4be0d4cb6da6b5b3cb53dea8security-advisories@github.com
Patch
https://github.com/nanbingxyz/5ire/security/advisories/GHSA-mr8w-mmvv-6hq8security-advisories@github.com
Vendor Advisory
https://positive.security/blog/url-open-rcesecurity-advisories@github.com
Not Applicable
https://shabarkin.notion.site/1-click-RCE-in-Electron-Applications-501c2e96e7934610979cd3c72e844a22security-advisories@github.com
Not Applicable
https://www.electronjs.org/docs/latest/tutorial/securitysecurity-advisories@github.com
Not Applicable
https://www.youtube.com/watch?v=ROFYhS9E9eUsecurity-advisories@github.com
Exploit
Hyperlink: https://github.com/nanbingxyz/5ire/commit/56601e012095194a4be0d4cb6da6b5b3cb53dea8
Source: security-advisories@github.com
Resource:
Patch
Hyperlink: https://github.com/nanbingxyz/5ire/security/advisories/GHSA-mr8w-mmvv-6hq8
Source: security-advisories@github.com
Resource:
Vendor Advisory
Hyperlink: https://positive.security/blog/url-open-rce
Source: security-advisories@github.com
Resource:
Not Applicable
Hyperlink: https://shabarkin.notion.site/1-click-RCE-in-Electron-Applications-501c2e96e7934610979cd3c72e844a22
Source: security-advisories@github.com
Resource:
Not Applicable
Hyperlink: https://www.electronjs.org/docs/latest/tutorial/security
Source: security-advisories@github.com
Resource:
Not Applicable
Hyperlink: https://www.youtube.com/watch?v=ROFYhS9E9eU
Source: security-advisories@github.com
Resource:
Exploit

Change History

0
Information is not available yet

Similar CVEs

203Records found
CVE-2023-42497
Matching Score-4
Assigner-Liferay, Inc.
ShareView Details
Matching Score-4
Assigner-Liferay, Inc.
CVSS Score-9.6||CRITICAL
EPSS-0.19% / 41.08%
||
7 Day CHG~0.00%
Published-17 Oct, 2023 | 07:56
Updated-13 Sep, 2024 | 16:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Reflected cross-site scripting (XSS) vulnerability on the Export for Translation page in Liferay Portal 7.4.3.4 through 7.4.3.85, and Liferay DXP 7.4 before update 86 allows remote attackers to inject arbitrary web script or HTML via the `_com_liferay_translation_web_internal_portlet_TranslationPortlet_redirect` parameter.

Action-Not Available
Vendor-Liferay Inc.
Product-digital_experience_platformliferay_portalDXPPortal
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-39007
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.6||CRITICAL
EPSS-48.45% / 97.67%
||
7 Day CHG+6.56%
Published-09 Aug, 2023 | 00:00
Updated-10 Oct, 2024 | 18:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

/ui/cron/item/open in the Cron component of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows XSS via openAction in app/controllers/OPNsense/Cron/ItemController.php.

Action-Not Available
Vendor-opnsensen/a
Product-opnsensen/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-38888
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.6||CRITICAL
EPSS-5.01% / 89.51%
||
7 Day CHG~0.00%
Published-20 Sep, 2023 | 00:00
Updated-25 Sep, 2024 | 15:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross Site Scripting vulnerability in Dolibarr ERP CRM v.17.0.1 and before allows a remote attacker to obtain sensitive information and execute arbitrary code via the REST API module, related to analyseVarsForSqlAndScriptsInjection and testSqlAndScriptInject.

Action-Not Available
Vendor-n/aDolibarr ERP & CRM
Product-dolibarr_erp\/crmn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • Previous
  • 1
  • 2
  • 3
  • 4
  • 5
  • Next
Details not found