In December 2025, a critical remote code execution vulnerability was disclosed in DeepChat, an open-source desktop AI agent platform built using Electron. The issue, tracked as CVE-2025-67744, affects all DeepChat versions prior to 0.5.3 and carries a CVSS score of 9.6.

The vulnerability arises from the interaction between two separate weaknesses. The first allows attacker-controlled JavaScript execution through unsafe rendering of Mermaid diagrams. The second exposes privileged Electron inter-process communication (IPC) functionality directly to the application’s renderer context. When combined, these issues allow a remote attacker to escalate from injected client-side content to arbitrary command execution on the host system.

While the individual techniques involved are well understood, this vulnerability is notable for how easily it turns user-supplied or model-generated content into a full system compromise in an AI-driven desktop application.

Technical Details

DeepChat supports rendering Mermaid diagrams as part of its user interface. Mermaid is a text-based diagramming syntax that is converted into interactive visual output at runtime. In affected versions of DeepChat, certain Mermaid rendering paths did not sufficiently restrict or sanitise diagram definitions, allowing specially crafted input to trigger execution of arbitrary JavaScript within the renderer process.

As an Electron-based application, DeepChat is built using web technologies and runs its user interface inside a browser-like renderer process, while a separate privileged component handles access to the underlying operating system. Under normal circumstances, JavaScript execution in an Electron renderer should be heavily constrained. However, DeepChat also exposed its Electron IPC renderer object directly to the page context. This meant that JavaScript running in the renderer was able to invoke privileged IPC functionality intended to communicate with the application’s main process.

By chaining these two weaknesses, an attacker can escalate from rendering a malicious Mermaid diagram to executing system-level commands with the same privileges as the DeepChat application. No additional sandbox escape is required, as the security boundary between rendered content and the underlying operating system is effectively removed.

What makes this vulnerability particularly significant is how it reflects a broader pattern emerging in AI-enabled applications. Unlike traditional applications, AI agent platforms are designed to ingest and render content from multiple (often untrusted) sources, including user prompts, external tools, documents, and AI model output. This creates new trust assumptions around rendered content. When that content is treated as trusted UI input and rendered using rich or interactive formats, traditional client-side vulnerabilities such as cross-site scripting become as significant threat to unsuspecting users. This risk category is still evolving, and defensive controls across the industry remain inconsistent while security researchers and developers catch up.

Impact summary

Successful exploitation of CVE-2025-67744 allows an attacker to execute arbitrary code on the system running DeepChat. This provides control over the application process and access to any data or credentials available to it, including stored conversations, API keys, local files, and integrated tooling.

In environments where AI agent tools are used to interact with internal systems or sensitive datasets, this type of compromise could enable data theft, persistence, or lateral movement. Furthermore, it may allow a malicious actor to configure new Model Context Protocol (MCP) connections which could have a far-reaching impact.

Mitigating the vulnerability

The vulnerability has been addressed in DeepChat version 0.5.3. Upgrading to this version or later is the only reliable way to remove exposure.

More broadly, this issue highlights several architectural risks relevant to modern AI-enabled desktop applications. Renderer content should always be treated as untrusted, regardless of whether it originates from user input or AI-generated output. Electron applications should enforce context isolation, avoid exposing raw IPC interfaces to the renderer, and restrict privileged functionality to scoped preload APIs.

Where rich rendering features are required, libraries such as Mermaid should be configured securely, with interactive or scriptable behaviour disabled unless strictly necessary. Partial fixes that address only one rendering path can leave residual attack surfaces that are difficult to reason about in complex applications. Of course, implementing these security features would restrict user functionality, which goes against the current direction of travel as AI continues to be used experimentally.

As AI agents increasingly combine untrusted input, automated decision-making, and privileged system access, vulnerabilities that blur the line between content and execution are likely to become more common rather than less.

How can Sentrium help?

Sentrium provides penetration testing services covering desktop applications, Electron platforms, and AI-enabled systems. Our assessments focus not only on identifying individual vulnerabilities, but on how architectural decisions can allow seemingly low-risk issues to escalate into full system compromise. If you are deploying AI agent tools or rich client applications, we can support you in understanding and reducing the risks introduced by these emerging attack surfaces.

Start your assessment today by completing our pentest scoping form or get in touch with our team to find out more about our penetration testing services.