5ire Cross-Site Scripting Vulnerability in Chat Page Allows Remote Code Execution
Vulnerability
A cross-site scripting (XSS) vulnerability has been identified in 5ire version 0.13.2, specifically within the chat page's script handling. This vulnerability allows content injection attacks that can be exploited through malicious prompt injection pages, compromised Model Context Protocol (MCP) servers, or exploited tool integrations. The injected content can be escalated to remote code execution on the user's machine.
Impact
Exploitation of this vulnerability allows for full remote code execution on the user's machine.
Reproduction
To reproduce this vulnerability, inject a crafted chat message that exploits the ECharts configuration handling. This can be done by hosting a malicious page that prompts the injection or by using a compromised MCP server. Once the message is sent, the injected script will execute, leveraging the XSS to run arbitrary code.
Remediation
Users are advised to upgrade to version 0.14.0 or later, where this vulnerability has been patched.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.