Description

5ire is a cross-platform desktop artificial intelligence assistant and model context protocol client. Versions prior to 0.11.1 are vulnerable to stored cross-site scripting in chatbot responses due to insufficient sanitization. This, in turn, can lead to Remote Code Execution (RCE) via unsafe Electron protocol handling and exposed Electron APIs. All users of 5ire client versions prior to patched releases, particularly those interacting with untrusted chatbots or pasting external content, are affected. Version 0.11.1 contains a patch for the issue.

Classification

CVE ID: CVE-2025-47777

CVSS Base Severity: CRITICAL

CVSS Base Score: 9.6

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

Vendor: nanbingxyz

Product: 5ire

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.29% (probability of being exploited)

EPSS Percentile: 51.99% (scored less or equal to compared to others)

EPSS Date: 2025-06-06 (when was this score calculated)

Stakeholder-Specific Vulnerability Categorization (SSVC)

SSVC Exploitation: none

SSVC Technical Impact: total

SSVC Automatable: false

References

https://nvd.nist.gov/vuln/detail/CVE-2025-47777
https://github.com/nanbingxyz/5ire/security/advisories/GHSA-mr8w-mmvv-6hq8
https://github.com/nanbingxyz/5ire/commit/56601e012095194a4be0d4cb6da6b5b3cb53dea8
https://positive.security/blog/url-open-rce
https://shabarkin.notion.site/1-click-RCE-in-Electron-Applications-501c2e96e7934610979cd3c72e844a22
https://www.electronjs.org/docs/latest/tutorial/security
https://www.youtube.com/watch?v=ROFYhS9E9eU

Timeline