CVE-2025-59053 is a critical vulnerability affecting moeru-ai's AIRI product, version 0.7.2-beta.2. AIRI is a self-hosted AI-based Grok Companion that processes Markdown content and renders it in a Vue.js frontend. The vulnerability arises from improper handling of user-supplied Markdown content in the component located at `packages/stage-ui/src/components/MarkdownRenderer.vue`. Specifically, the useMarkdown composable processes Markdown into HTML, which is then rendered directly into the DOM using Vue's `v-html` directive without proper sanitization or escaping. An attacker can craft malicious Markdown containing HTML or JavaScript payloads that bypass escaping in the `highlightTagToHtml` function, which replaces template tags but does not perform HTML escaping. This leads to a cross-site scripting (XSS) vulnerability, allowing execution of arbitrary scripts in the context of the application. More critically, AIRI exposes the Tauri API, which allows frontend code to invoke backend commands. The MCP plugin exposes a command execution interface in Rust (`crates/tauri-plugin-mcp/src/lib.rs`) that directly passes user-supplied `command` and `args` parameters to `Command::new(command).args(args)` without any validation or whitelisting. This means that the initial XSS exploit can be leveraged to execute arbitrary system commands on the host machine, escalating the impact from client-side script execution to full remote code execution (RCE). This chain of vulnerabilities significantly increases the attack surface and potential damage. The vulnerability was fixed in version 0.7.2-beta.3. The CVSS 3.1 score is 9.7 (critical), reflecting the network attack vector, low attack complexity, no privileges required, user interaction required, scope change, and high impact on confidentiality, integrity, and availability.

For European organizations using AIRI version 0.7.2-beta.2, this vulnerability poses a severe risk. The initial XSS can compromise user sessions, steal sensitive data, or perform actions on behalf of users. More alarmingly, the ability to escalate to arbitrary command execution on the host system can lead to full system compromise, data breaches, lateral movement within networks, and deployment of ransomware or other malware. Organizations relying on AIRI for AI-assisted workflows or knowledge management may face disruption of critical business processes, loss of intellectual property, and regulatory non-compliance, especially under GDPR. The self-hosted nature means that organizations are responsible for patching and securing their deployments; failure to update promptly could expose internal networks to attackers. The vulnerability also risks supply chain attacks if AIRI is integrated into broader software ecosystems. Given the criticality and ease of exploitation, European entities must prioritize remediation to avoid operational and reputational damage.

1. Immediate upgrade to AIRI version 0.7.2-beta.3 or later, where the vulnerability is fixed. 2. Implement strict input validation and sanitization on all Markdown content before rendering, using well-maintained libraries that escape or remove dangerous HTML/JavaScript. 3. Restrict or disable the Tauri API command execution interface unless absolutely necessary; if required, enforce strict whitelisting of allowed commands and arguments. 4. Employ Content Security Policy (CSP) headers to limit the impact of potential XSS by restricting script sources and execution contexts. 5. Conduct thorough code audits and penetration testing focusing on frontend-backend interaction surfaces, especially where user input is passed to system commands. 6. Monitor logs for unusual command execution patterns or unexpected API calls. 7. Educate developers and administrators on secure coding practices and the risks of direct DOM injection without sanitization. 8. For organizations unable to upgrade immediately, consider isolating AIRI deployments in segmented network zones with limited privileges to reduce potential impact.