CVE-2025-51859: Chaindesk Agent Chat XSS Vulnerability Exposes JWT Tokens
Chaindesk users, beware! A stored Cross-Site Scripting (XSS) vulnerability has been discovered in the agent chat component of Chaindesk, potentially allowing attackers to steal sensitive information and hijack accounts. This vulnerability, identified as CVE-2025-51859, stems from the ability to inject malicious scripts into AI agent responses, which are then executed when a user interacts with the agent.
Vulnerability Details
- CVE ID: CVE-2025-51859
- Description: Stored Cross-Site Scripting (XSS) vulnerability in Chaindesk thru 2025-05-26 in its agent chat component. An attacker can craft an AI agent whose system prompt instructs the underlying Large Language Model (LLM) to embed malicious script payloads (e.g., SVG-based XSS) into its chat responses. When a user interacts with such a malicious agent or accesses a direct link to a conversation containing an XSS payload, the script executes in the user's browser. Successful exploitation can lead to the theft of sensitive information, such as JWT session tokens, potentially resulting in account hijacking.
- CVSS Score: 6.5 (Medium)
- CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
- CVSS Explanation: This vulnerability allows a remote attacker with no privileges to execute arbitrary code in a user's browser if the user interacts with a malicious agent or link. The impact is high on confidentiality, meaning an attacker can steal sensitive data.
- Exploit Requirements: User interaction is required. An attacker must craft a malicious AI agent and lure a user into interacting with it.
- Affected Vendor: Chaindesk
- Affected Product: Chaindesk
- Affected Version: Thru 2025-05-26
- CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Timeline of Events
- 2025-05-26: Last day of affected version range.
- 2025-07-22: CVE ID assigned and vulnerability disclosed.
Exploitability & Real-World Risk
This vulnerability poses a significant risk because it can be exploited to steal JWT session tokens. JWTs are commonly used for authentication, and stealing them allows an attacker to impersonate the victim and gain unauthorized access to their account. The fact that the XSS is stored means that the malicious script is persistently present, potentially affecting multiple users who interact with the compromised AI agent.
The dependency on user interaction lowers the CVSS score, but the potential impact of account hijacking is severe. An attacker could use this vulnerability to spread malware, steal sensitive data, or perform other malicious activities on behalf of the compromised user.
Recommendations
- Patch: Apply the latest security patch from Chaindesk as soon as it becomes available.
- Input Validation: Chaindesk should implement robust input validation and sanitization to prevent the injection of malicious scripts into AI agent responses.
- Content Security Policy (CSP): Implement and enforce a strict Content Security Policy (CSP) to mitigate the impact of XSS vulnerabilities.
- User Awareness: Educate users about the risks of interacting with unknown or untrusted AI agents.
Technical Insight
The vulnerability arises because Chaindesk's AI agents are using Large Language Models (LLMs) and the system prompts controlling the LLM's behavior are not properly sanitized. This allows an attacker to craft a system prompt that instructs the LLM to include malicious script payloads, such as SVG-based XSS, in its chat responses. When a user views the chat response, the script is executed in their browser.
Credit to Researcher(s)
This vulnerability was discovered by Secsys-FDU.
References
Tags
#Chaindesk #XSS #CVE-2025-51859 #JWT #AccountHijacking #SecurityVulnerability #LLM #AgentChat #CrossSiteScripting
Summary: A stored XSS vulnerability in Chaindesk's agent chat component (CVE-2025-51859) allows attackers to inject malicious scripts via AI agent responses, potentially stealing JWT tokens and hijacking user accounts. Users should apply patches and be cautious when interacting with AI agents.
CVE ID: CVE-2025-51859
Risk Analysis: Successful exploitation could lead to the theft of JWT session tokens, enabling account hijacking. This allows attackers to impersonate users, access sensitive data, and perform unauthorized actions on their behalf.
Recommendation: Apply the latest security patches from Chaindesk, implement robust input validation and sanitization, enforce a strict Content Security Policy (CSP), and educate users about the risks of interacting with unknown AI agents.
Timeline
- 2025-05-26: Last day of affected version range.
- 2025-07-22: CVE ID assigned and vulnerability disclosed.