Vulnerability Description
TUUI is a desktop MCP client designed as a tool unitary utility integration. Prior to 1.3.4, a critical Remote Code Execution (RCE) vulnerability exists in Tuui due to an unsafe Cross-Site Scripting (XSS) flaw in the Markdown rendering component. Tuui allows the execution of arbitrary JavaScript within ECharts code blocks. Combined with an exposed IPC interface that allows spawning processes, an attacker can execute arbitrary system commands on the victim's machine simply by having them view a malicious Markdown message. This vulnerability is fixed in 1.3.4.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Aiql | Tuui | < 1.3.4 |
Related Weaknesses (CWE)
References
- https://github.com/AI-QL/tuui/commit/f673fa5b4d76e8236c7d9506d0727875cfa79cc1Patch
- https://github.com/AI-QL/tuui/releases/tag/v1.3.4ProductRelease Notes
- https://github.com/AI-QL/tuui/security/advisories/GHSA-qjhq-rgmr-6c3gPatchVendor Advisory
FAQ
What is CVE-2025-66562?
CVE-2025-66562 is a vulnerability with a CVSS score of 9.6 (CRITICAL). TUUI is a desktop MCP client designed as a tool unitary utility integration. Prior to 1.3.4, a critical Remote Code Execution (RCE) vulnerability exists in Tuui due to an unsafe Cross-Site Scripting (...
How severe is CVE-2025-66562?
CVE-2025-66562 has been rated CRITICAL with a CVSS base score of 9.6/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2025-66562?
Check the references section above for vendor advisories and patch information. Affected products include: Aiql Tuui.