QwikSec

Security Database

CVE

CWE

Training

CVE-2025-47777

Published: May 14, 2025

Modified: May 14, 2025

PUBLISHED

CVSS v3.1

9.7

CRITICAL

Description

5ire is a cross-platform desktop artificial intelligence assistant and model context protocol client. Versions prior to 0.11.1 are vulnerable to stored cross-site scripting in chatbot responses due to insufficient sanitization. This, in turn, can lead to Remote Code Execution (RCE) via unsafe Electron protocol handling and exposed Electron APIs. All users of 5ire client versions prior to patched releases, particularly those interacting with untrusted chatbots or pasting external content, are affected. Version 0.11.1 contains a patch for the issue.

Vendor	Product	Versions
nanbingxyz	5ire	affected `< 0.11.1`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

References

https://github.com/nanbingxyz/5ire/security/advisories/GHSA-mr8w-mmvv-6hq8

x_refsource_CONFIRM

https://github.com/nanbingxyz/5ire/commit/56601e012095194a4be0d4cb6da6b5b3cb53dea8

x_refsource_MISC

https://positive.security/blog/url-open-rce

x_refsource_MISC

https://shabarkin.notion.site/1-click-RCE-in-Electron-Applications-501c2e96e7934610979cd3c72e844a22

x_refsource_MISC

https://www.electronjs.org/docs/latest/tutorial/security

x_refsource_MISC

https://www.youtube.com/watch?v=ROFYhS9E9eU

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

CVE-2025-47777 | CRITICAL (9.7) - Security Vulnerability | QwikSec