TelegAI 存储型跨站脚本漏洞

漏洞信息

漏洞名称： TelegAI 存储型跨站脚本漏洞

漏洞编号：

• CVE： CVE-2025-51860

漏洞类型： 跨站可执行脚本

漏洞等级： 高危

漏洞描述： TelegAI是一款用于构建和与AI角色聊天的网络应用程序，广泛应用于用户与AI角色的互动场景中。该应用程序在其聊天组件和角色容器组件中存在存储型跨站脚本（XSS）漏洞。攻击者可以通过在AI角色的描述、问候语、示例对话或系统提示中嵌入SVG XSS有效载荷，构造恶意AI角色。当用户与此类恶意AI角色互动或浏览其个人资料时，脚本会在用户的浏览器中执行。成功利用此漏洞可导致敏感信息（如会话令牌）被盗，进而可能导致账户劫持。

该漏洞的技术根源在于TelegAI未能对用户输入进行充分的验证和清理，特别是在处理AI角色的配置信息时，未能有效过滤或转义潜在的恶意脚本。这使得攻击者能够将恶意脚本存储于服务器端，并在其他用户访问相关页面时触发执行。

此漏洞的影响范围广泛，任何使用https://telegai.com的用户都可能受到影响。攻击者无需认证即可利用此漏洞，且漏洞可被自动化工具利用。一旦攻击成功，攻击者可窃取用户的会话令牌，进而控制用户账户，进行未授权操作，甚至进一步渗透系统内部网络。此外，由于漏洞存在于核心功能中，修复难度较大，需要开发团队对输入验证和输出编码机制进行全面审查和加固。

产品厂商： TelegAI

产品名称： TelegAI

来源： https://github.com/Secsys-FDU/CVE-2025-51860

类型： CVE-2025:github search

仓库文件

• README.md
• figure1.png

来源概述

CVE-2025-51860

Vulnerability description

TelegAI, a web application for constructing and chatting with AI Characters, is vulnerable to Stored Cross-Site Scripting (XSS) in its chat component and character container component. An attacker can achieve arbitrary client-side script execution by crafting an AI Character with SVG XSS payloads in either description, greeting, example dialog, or system prompt(instructing the LLM to embed XSS payload in its chat response). When a user interacts with such a malicious AI Character or just browse its profile, the script executes in the user’s browser. Successful exploitation can lead to the theft of sensitive information, such as session tokens, potentially resulting in account hijacking.

Attack Vectors

TelegAI is susceptible to a Stored Cross-Site Scripting (XSS) vulnerability within its AI Character chat functionality. This vulnerability impacts user interactions and browsing the character’s profile. To exploit this XSS vulnerability, an attacker can creat an AI Character with 1) crafted profile or 2) system prompt. 1) An attacker can embed SVG XSS payload into the character’s profile(description, greeting and example dialog). When a victim browses the profile, the attack occurs. 2) An attacker can also craft a malicious system prompt instructing the LLM to embed XSS payload in its chat response. Consequently, when a victim engages in a chat with this compromised character, the payload is rendered by the victim’s browser, leading to client-side script execution. This technique effectively uses the character’s configuration to store and deliver the XSS payload. The execution of arbitrary JavaScript code in the victim’s session allows the attacker to steal sensitive data, notably session tokens, which can then be used for account hijacking. Figure 1 shows the Stored XSS POC of a malicious AI character.

Vulnerability affected

This vulnerability can have an impact on any user of https://telegai.com. The cookie (contains the session and token) of user will be stolen when communicates with public malicious agent.