CVE-2025-47777

9.6 CRITICAL
Published: May 14, 2025 Modified: January 22, 2026
View on NVD

Description

5ire is a cross-platform desktop artificial intelligence assistant and model context protocol client. Versions prior to 0.11.1 are vulnerable to stored cross-site scripting in chatbot responses due to insufficient sanitization. This, in turn, can lead to Remote Code Execution (RCE) via unsafe Electron protocol handling and exposed Electron APIs. All users of 5ire client versions prior to patched releases, particularly those interacting with untrusted chatbots or pasting external content, are affected. Version 0.11.1 contains a patch for the issue.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://github.com/nanbingxyz/5ire/commit/56601e012095194a4be0d4cb6da6b5b3cb53dea8
Source: security-advisories@github.com
Patch
https://github.com/nanbingxyz/5ire/security/advisories/GHSA-mr8w-mmvv-6hq8
Source: security-advisories@github.com
Vendor Advisory
https://positive.security/blog/url-open-rce
Source: security-advisories@github.com
Not Applicable
https://shabarkin.notion.site/1-click-RCE-in-Electron-Applications-501c2e96e7934610979cd3c72e844a22
Source: security-advisories@github.com
Not Applicable
https://www.electronjs.org/docs/latest/tutorial/security
Source: security-advisories@github.com
Not Applicable
https://www.youtube.com/watch?v=ROFYhS9E9eU
Source: security-advisories@github.com
Exploit

6 reference(s) from NVD

Quick Stats

CVSS v3 Score
9.6 / 10.0
EPSS (Exploit Probability)
2.2%
84th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-20 CWE-79

Affected Vendors

5ire

Related CVEs

CVE-2026-4514 6.3
CVE-2026-4513 6.3
CVE-2026-4511 6.3
CVE-2026-4510 4.3
CVE-2026-4373 7.5