CVE-2025-47777

5ire Client Vulnerable to Cross-Site Scripting (XSS) and Remote Code Execution (RCE)

Description

5ire is a cross-platform desktop artificial intelligence assistant and model context protocol client. Versions prior to 0.11.1 are vulnerable to stored cross-site scripting in chatbot responses due to insufficient sanitization. This, in turn, can lead to Remote Code Execution (RCE) via unsafe Electron protocol handling and exposed Electron APIs. All users of 5ire client versions prior to patched releases, particularly those interacting with untrusted chatbots or pasting external content, are affected. Version 0.11.1 contains a patch for the issue.

Category

9.6
CVSS
Severity: Critical
CVSS 3.1 •
EPSS 0.29%
Affected: nanbingxyz 5ire
Published at:
Updated at:

References

Link Tags
https://github.com/nanbingxyz/5ire/security/advisories/GHSA-mr8w-mmvv-6hq8
https://github.com/nanbingxyz/5ire/commit/56601e012095194a4be0d4cb6da6b5b3cb53dea8
https://positive.security/blog/url-open-rce
https://shabarkin.notion.site/1-click-RCE-in-Electron-Applications-501c2e96e7934610979cd3c72e844a22
https://www.electronjs.org/docs/latest/tutorial/security
https://www.youtube.com/watch?v=ROFYhS9E9eU

Frequently Asked Questions

What is the severity of CVE-2025-47777?
CVE-2025-47777 has been scored as a critical severity vulnerability.
How to fix CVE-2025-47777?
To fix CVE-2025-47777, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2025-47777 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2025-47777 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2025-47777?
CVE-2025-47777 affects nanbingxyz 5ire.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.