CNNVD-202509-1587 Information
CNNVD ID
CNNVD-202509-1587
Related CVE
- CNNVD Published: 2025-09-11
Description (Chinese)
Project AIRI是moeru-ai开源的一个AI对话机器人。 Project AIRI 0.7.2-beta.2版本存在代码注入漏洞,该漏洞源于MarkdownRenderer.vue组件直接使用v-html渲染未转义的HTML内容,可能导致跨站脚本攻击,同时由于未对用户输入的command和args参数进行验证,可能导致任意命令执行。
Description (English)
Project AIRI is an AI dialogue robot from moeru-ai open source. Project AIRI 0.7.2-beta.2 contains a code-injection loophole, which originates from the direct use of V-html by the Markdownrender.vue component to render unconverted HTML content, which may lead to a cross-site script attack, while the failure to validate the user’s input of commmand and args parameters may lead to arbitrary command execution.
Hazard Level
High
Vulnerability Type
代码注入
Affected Vendor
moeru-ai
Published
2025-09-11
Last Modified
2026-02-24
References
https://github.com/moeru-ai/airi/commit/3315634903c9102a19e8f0476970df01801c8ca4 https://github.com/moeru-ai/airi/security/advisories/GHSA-9832-f8jx-hw6f https://access.redhat.com/security/cve/cve-2025-59053
Patch
https://github.com/moeru-ai/airi/releases
Share on: