Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-66562

CVE-2025-66562: Aiql Tuui RCE Vulnerability

CVE-2025-66562 is a critical remote code execution vulnerability in Aiql Tuui that allows attackers to execute arbitrary system commands via malicious Markdown. This article covers technical details, affected versions, and mitigation.

Updated:

CVE-2025-66562 Overview

CVE-2025-66562 is a Remote Code Execution (RCE) vulnerability in TUUI, a desktop Model Context Protocol (MCP) client. Versions prior to 1.3.4 allow execution of arbitrary JavaScript inside ECharts code blocks rendered by the Markdown component. An exposed Inter-Process Communication (IPC) interface lets that JavaScript spawn operating system processes. An attacker can execute arbitrary system commands when a victim views a malicious Markdown message. The flaw is tracked as Cross-Site Scripting (XSS) [CWE-79] and was fixed in TUUI 1.3.4.

Critical Impact

A single malicious Markdown message viewed in the TUUI client can lead to full remote command execution on the victim's host.

Affected Products

  • AIQL TUUI desktop MCP client, all versions prior to 1.3.4
  • Electron-based renderer using the Markdown component with ECharts support
  • Deployments relying on the IPC interface that permits process spawning

Discovery Timeline

  • 2025-12-05 - CVE-2025-66562 published to the National Vulnerability Database (NVD)
  • 2026-03-17 - Last updated in NVD database

Technical Details for CVE-2025-66562

Vulnerability Analysis

TUUI renders chat content through a Markdown component that supports ECharts code blocks. The renderer evaluates JavaScript inside those blocks to produce charts, which means untrusted Markdown can carry executable script. To support ECharts, the application's Content Security Policy (CSP) included 'unsafe-eval', allowing dynamic code evaluation inside the renderer process.

The Electron renderer also exposes an IPC interface that the application uses to spawn child processes. Because the XSS payload runs in the same context that can reach this IPC bridge, attacker-controlled JavaScript can invoke process spawning APIs directly. The result is a transition from script injection in the chat view to arbitrary command execution on the host.

Root Cause

The root cause is unsafe rendering of Markdown content combined with an over-privileged renderer. ECharts code blocks were treated as trusted, the CSP allowed unsafe-eval, and the IPC surface did not restrict which renderer-originated calls could spawn processes.

Attack Vector

An attacker delivers a crafted Markdown message—through a chat channel, MCP server response, or shared document—that contains an ECharts code block with malicious JavaScript. When the victim opens or views the message in TUUI, the renderer evaluates the script and calls the IPC bridge to launch arbitrary commands under the user's account. No additional privileges or installation steps are required beyond viewing the message.

text
// Patch excerpt: src/renderer/components/common/MarkdownCard.vue
 import mermaid from 'mermaid'
 
-import * as echarts from 'echarts'
-
 import highlight from 'highlight.js'
 import 'highlight.js/styles/atom-one-dark.css'

Source: GitHub Commit f673fa5

text
<!-- Patch excerpt: src/renderer/index.html -->
 <meta
   http-equiv="Content-Security-Policy"
-  content="script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline';"
+  content="script-src 'self'; style-src 'self' 'unsafe-inline';"
 />

Source: GitHub Commit f673fa5

The patch removes the ECharts import from the Markdown renderer and tightens the CSP by dropping 'unsafe-eval', eliminating the script execution primitive used by the exploit chain.

Detection Methods for CVE-2025-66562

Indicators of Compromise

  • TUUI installations running versions earlier than 1.3.4 on Windows, macOS, or Linux endpoints.
  • Child processes such as cmd.exe, powershell.exe, /bin/sh, or bash spawned by the TUUI Electron process without user interaction.
  • Markdown messages or MCP responses containing ECharts code blocks with embedded JavaScript calls to IPC, child_process, or process-spawning APIs.

Detection Strategies

  • Inventory endpoints for the TUUI binary and compare installed versions against 1.3.4 using software asset management or EDR telemetry.
  • Hunt for anomalous process trees where the TUUI renderer is the parent of shells, scripting hosts, or living-off-the-land binaries.
  • Inspect chat history, MCP server logs, and Markdown artifacts for ECharts fences containing eval, Function, or IPC channel names.

Monitoring Recommendations

  • Alert on outbound connections from TUUI processes to unexpected MCP servers or domains.
  • Monitor file writes by TUUI to autorun, startup, or scheduled task locations on the host.
  • Log and review CSP violation reports generated by the renderer to surface attempted script injections.

How to Mitigate CVE-2025-66562

Immediate Actions Required

  • Upgrade all TUUI installations to version 1.3.4 or later, available from the GitHub Release v1.3.4 page.
  • Restrict TUUI to trusted MCP servers and chat sources until upgrades are confirmed across the fleet.
  • Advise users not to open Markdown messages from untrusted senders in vulnerable TUUI versions.

Patch Information

The vendor fixed the issue in TUUI 1.3.4 via commit f673fa5b4d76e8236c7d9506d0727875cfa79cc1. The patch removes ECharts rendering from MarkdownCard.vue and removes 'unsafe-eval' from the renderer's CSP. Details are published in GitHub Security Advisory GHSA-qjhq-rgmr-6c3g.

Workarounds

  • Block execution of vulnerable TUUI versions through application control or allowlisting policies until patching completes.
  • Disconnect TUUI from untrusted MCP endpoints and disable Markdown rendering features where configurable.
  • Run TUUI under a least-privilege user account to limit the impact of any command execution.
bash
# Verify the installed TUUI version meets the fixed release
tuui --version
# Expected output: 1.3.4 or later

# Example application control rule (pseudocode) to block older builds
# Deny execution if file hash matches TUUI < 1.3.4
block_app --name "TUUI" --version-lt "1.3.4"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.