DeepChat Arbitrary Protocol Execution Bypass Vulnerability Leading to Remote Code Execution

A vulnerability in DeepChat, an open-source AI agent platform, allows for arbitrary protocol execution bypassing the 'isValidExternalUrl' security check, leading to remote code execution. This issue arises from an incomplete mitigation of a previous vulnerability, CVE-2025-55733, which failed to properly sanitize native Electron pop-up window handlers. As a result, an attacker or a compromised AI endpoint can exploit this flaw by injecting a Markdown link that triggers the interception of a native window pop-up, bypassing the application's security measures and executing malicious URLs directly on the host system.

Impact

Exploitation of this vulnerability allows for a sandbox escape and local remote code execution on the host system. It enables an attacker to execute arbitrary code by injecting Markdown links that are processed by the application, bypassing security validations and executing harmful protocols that can lead to code execution or theft of sensitive information.

Reproduction

To reproduce this vulnerability, first set up a local server that mimics an OpenAI API endpoint. This server should be programmed to respond to chat completion requests with a payload that includes a Markdown link pointing to an unsafe protocol, such as 'calculator://'. Once the server is running, configure the DeepChat application to use this local server as a custom API provider. After initiating a conversation, the application will receive the injected Markdown link. Clicking on the link will trigger the vulnerability by executing the 'calculator://' command on the host system, demonstrating the bypass of the security filter and the resulting remote code execution.

Remediation

Users can update to DeepChat version 1.0.4-beta.1 or later, where this vulnerability has been fixed.