Description

NextChat contains a cross-site scripting (XSS) vulnerability in the HTMLPreview component of artifacts.tsx that allows attackers to execute arbitrary JavaScript code when HTML content is rendered in the AI chat interface. The vulnerability occurs because user-influenced HTML from AI responses is rendered in an iframe with 'allow-scripts' sandbox permission without proper sanitization. This can be exploited through specifically crafted prompts that cause the AI to generate malicious HTML/JavaScript code. When a user views the HTML preview, the injected JavaScript executes in the user's browser context, potentially allowing attackers to exfiltrate sensitive information (including API keys stored in localStorage), perform actions on behalf of the user, and steal session data.

INFO

Published Date :

2025-08-22T00:00:00.000Z

Last Modified :

2025-08-26T14:08:56.968Z

Source :

mitre
AFFECTED PRODUCTS

The following products are affected by CVE-2025-50733 vulnerability.

Vendors Products
Nextchat
  • Nextchat
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-50733.

URL Resource
https://github.com/fai1424/Vulnerability-Research/blob/main/CVE-2025-50733/README.md cve-icon cve-icon cve-icon
https://hackmd.io/@fai1424/BkgqMnNxgl cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact