CVE-2025-66580 is a critical stored cross-site scripting (XSS) vulnerability affecting the OpenAgentPlatform Dive application, an open-source MCP Host Desktop Application designed to integrate with function-calling large language models (LLMs). The vulnerability exists in versions prior to 0.11.1 within the Mermaid diagram rendering component, which improperly handles user-supplied input that includes the 'javascript:' URI scheme. This flaw allows an attacker to inject arbitrary JavaScript code that is stored and later executed when a user interacts with a compromised node in the diagram. The injected JavaScript can modify the Model Context Protocol (MCP) server configuration, effectively enabling remote code execution (RCE) on the victim's machine. This RCE occurs without requiring prior authentication but does require user interaction (clicking the malicious node). The vulnerability is classified under CWE-94 (Improper Control of Generation of Code), highlighting the unsafe handling of dynamic code generation. The CVSS v3.1 score of 9.7 reflects the vulnerability's critical nature, with network attack vector, low attack complexity, no privileges required, but user interaction needed, and complete compromise of confidentiality, integrity, and availability. Although no exploits are currently known in the wild, the potential impact is severe. The issue is resolved in Dive version 0.11.1, which properly sanitizes inputs and restricts execution of arbitrary JavaScript in Mermaid diagrams.

The impact of CVE-2025-66580 on European organizations is significant due to the potential for remote code execution on endpoints running vulnerable versions of Dive. This can lead to full system compromise, data theft, unauthorized access to sensitive information, and disruption of services. Organizations leveraging Dive for integrating LLMs in their workflows, especially in sectors like technology, research, and AI development, face elevated risks. The vulnerability could be exploited to deploy malware, ransomware, or conduct espionage, affecting confidentiality, integrity, and availability of critical systems. Given the integration with function-calling LLMs, attackers might also manipulate AI-driven processes, causing further operational and reputational damage. The requirement for user interaction (clicking a malicious node) means social engineering or phishing could be used to facilitate exploitation. The absence of known exploits in the wild currently reduces immediate risk but does not diminish the urgency for mitigation. European entities with open-source software adoption and AI initiatives are particularly vulnerable.

To mitigate CVE-2025-66580, European organizations should immediately upgrade all instances of Dive to version 0.11.1 or later, which contains the necessary patches to prevent arbitrary JavaScript execution. Until upgrades are complete, restrict access to the application and disable or limit the use of Mermaid diagram rendering features, especially those that accept user-generated content. Implement strict input validation and sanitization on any data fed into Dive, particularly for MCP server configurations and diagram nodes. Educate users about the risks of clicking untrusted or unexpected nodes within diagrams to reduce the likelihood of successful social engineering. Employ endpoint protection solutions capable of detecting and blocking suspicious script execution. Monitor logs and network traffic for unusual activity related to Dive usage. Additionally, consider isolating the application environment or running it within sandboxed containers to limit the blast radius of potential exploitation. Regularly review and update security policies around open-source AI tool usage and integration.