Description
DeepChat is an open-source artificial intelligence agent platform that unifies models, tools, and agents. Prior to v1.0.4-beta.1, An incomplete mitigation for CVE-2025-55733 leaves DeepChat vulnerable to an arbitrary protocol execution bypass (RCE). While the patch correctly restricted api.openExternal() inside the renderer's preload/index.ts script, it structurally neglected to sanitize native Electron pop-up window handlers. An attacker or a compromised AI endpoint returning a Markdown link can trigger a target="_blank" native window interception in tabPresenter.ts, which forwards the malicious URL directly to shell.openExternal(url) and completely bypasses the isValidExternalUrl security boundary. This vulnerability is fixed in v1.0.4-beta.1.
Published: 2026-05-11
Score: 9.6 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

DeepChat, an open‑source AI agent platform, had an incomplete fix for a prior vulnerability that allowed an attacker to execute code on a user’s machine. The flaw lies in the handling of Markdown links rendered in the application. When a link contains a target="_blank" attribute, a native Electron pop‑up window is created, and the URL is forwarded directly to shell.openExternal(url). This bypasses the security boundary defined by isValidExternalUrl. An attacker or a malicious AI endpoint that returns such a link can therefore trigger arbitrary external command execution, yielding full remote code execution on the target. The weakness is an instance of CWE‑20: Improper Input Validation.

Affected Systems

ThinkInAIXYZ’s DeepChat product is affected, specifically versions prior to v1.0.4‑beta.1. No specific sub‑versions are listed beyond the general pre‑1.0.4‑beta.1 range, so any deployment of DeepChat older than that release is vulnerable.

Risk and Exploitability

The CVSS score of 9.6 indicates critical severity, and the EPSS score is not available, so the current public exploit probability is unknown. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is via malicious markdown links that an attacker can inject into an AI endpoint or via a compromised AI service. Successful exploitation requires that the end user render the link inside the DeepChat UI, and the application’s shell.openExternal call will execute the injected URL, giving the attacker full control.

Generated by OpenCVE AI on May 11, 2026 at 23:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade DeepChat to version 1.0.4‑beta.1 or later.
  • Disable or restrict shell.openExternal calls in the application or enforce isValidExternalUrl consistently across all pop‑up handlers.
  • Ensure that any Markdown content returned from AI endpoints is validated or sanitized before rendering to prevent malicious links from being presented to the user.

Generated by OpenCVE AI on May 11, 2026 at 23:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 12 May 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Thinkinai
Thinkinai deepchat
Vendors & Products Thinkinai
Thinkinai deepchat

Mon, 11 May 2026 22:30:00 +0000

Type Values Removed Values Added
Description DeepChat is an open-source artificial intelligence agent platform that unifies models, tools, and agents. Prior to v1.0.4-beta.1, An incomplete mitigation for CVE-2025-55733 leaves DeepChat vulnerable to an arbitrary protocol execution bypass (RCE). While the patch correctly restricted api.openExternal() inside the renderer's preload/index.ts script, it structurally neglected to sanitize native Electron pop-up window handlers. An attacker or a compromised AI endpoint returning a Markdown link can trigger a target="_blank" native window interception in tabPresenter.ts, which forwards the malicious URL directly to shell.openExternal(url) and completely bypasses the isValidExternalUrl security boundary. This vulnerability is fixed in v1.0.4-beta.1.
Title DeepChat: Incomplete Fix for CVE-2025-55733 leads to Remote Code Execution via Markdown Links bypassing `isValidExternalUrl`
Weaknesses CWE-20
References
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

Subscriptions

Thinkinai Deepchat
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-12T12:52:30.296Z

Reserved: 2026-05-04T16:11:33.085Z

Link: CVE-2026-43899

cve-icon Vulnrichment

Updated: 2026-05-12T12:52:20.407Z

cve-icon NVD

Status : Deferred

Published: 2026-05-11T23:20:21.410

Modified: 2026-05-12T14:50:18.527

Link: CVE-2026-43899

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T09:00:06Z

Weaknesses