DeepChat Remote Code Execution Vulnerability via Exposed IPC Interface and Unsafe Mermaid Configuration

A remote code execution vulnerability has been identified in DeepChat versions prior to 0.5.3. This issue arises from the Mermaid diagram rendering component, which allows arbitrary JavaScript execution. The vulnerability is escalated to full remote code execution due to the exposure of the Electron IPC renderer to the DOM, enabling execution of arbitrary system commands. The root cause lies in an unsafe configuration of Mermaid rendering in 'MarkdownRenderer.vue', which lacks proper sanitization and security measures, combined with an exposed IPC interface that grants access to privileged main process handlers.

Impact

Exploitation of this vulnerability allows for remote code execution on the affected system, with the executed commands running in the context of the user.

Reproduction

To reproduce this vulnerability, create a Mermaid diagram that includes a 'javascript:' URI in a click event handler. This can be done by using the 'MarkdownRenderer.vue' component to render the diagram without any sanitization. Once the diagram is rendered, click on the link, which will trigger the JavaScript execution via the exposed IPC renderer, allowing for the execution of arbitrary system commands.

Remediation

Users can update to DeepChat version 0.5.3, which includes a patch for this vulnerability. For developers, it is recommended to sanitize Mermaid content with DOMPurify before rendering, ensuring that all untrusted data is cleaned and safe from executing harmful scripts.