CVE-2025-68669
Severity CVSS v4.0:
Pending analysis
Type:
CWE-79
Cross-Site Scripting (XSS)
Publication date:
23/12/2025
Last modified:
06/02/2026
Description
5ire is a cross-platform desktop artificial intelligence assistant and model context protocol client. In versions 0.15.2 and prior, an RCE vulnerability exists in useMarkdown.ts, where the markdown-it-mermaid plugin is initialized with securityLevel: 'loose'. This configuration explicitly permits the rendering of HTML tags within Mermaid diagram nodes. This issue has not been patched at time of publication.
Impact
Base Score 3.x
9.60
Severity 3.x
CRITICAL
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:5ire:5ire:*:*:*:*:*:*:*:* | 0.15.2 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://github.com/nanbingxyz/5ire/blob/c40d05a2b546094789fc727daa5383bb15034442/src/hooks/useMarkdown.ts#L156
- https://github.com/nanbingxyz/5ire/commit/1fbe40d0bfbfe215370d45b9af856c286d67d3f2
- https://github.com/nanbingxyz/5ire/releases/tag/v0.15.2
- https://github.com/nanbingxyz/5ire/security/advisories/GHSA-5hpf-p8fw-j349
- https://github.com/nanbingxyz/5ire/security/advisories/GHSA-5hpf-p8fw-j349