ГлавнаяУязвимости → CVE-2025-66580
9.6критическая

CVE-2025-66580

Описание

Dive is an open-source MCP Host Desktop Application that enables integration with function-calling LLMs. A critical Stored Cross-Site Scripting (XSS) vulnerability exists in versions prior to 0.11.1 in the Mermaid diagram rendering component. The application allows the execution of arbitrary JavaScript via `javascript:`. An attacker can exploit this to inject a malicious Model Context Protocol (MCP) server configuration, leading to Remote Code Execution (RCE) on the victim's machine when the node is clicked. Version 0.11.1 fixes the issue.

Затрагиваемое ПО
Openagentplatform Dive
CVSS
Балл9.6 — критическая
ВекторCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Источники
https://github.com/OpenAgentPlatform/Dive/security/advisories/GHSA-xv8m-365j-x6h2https://github.com/OpenAgentPlatform/Dive/security/advisories/GHSA-xv8m-365j-x6h2