CVE-2024-25639

Name of the Vulnerable Software and Affected Versions Khoj versions prior to 1.13.0

Description Khoj is an application that creates personal AI agents. The Khoj Obsidian, Desktop, and Web clients inadequately sanitize the AI model's response and user inputs. This can trigger Cross Site Scripting (XSS) via Prompt Injection from untrusted documents either indexed by the user on Khoj or read by Khoj from the internet when the user invokes the "online" command.

Recommendations For versions prior to 1.13.0, update to version 1.13.0 to resolve the issue. As a temporary workaround, consider restricting the use of the /online command until the update is applied. Additionally, avoid using untrusted documents with the AI model to minimize the risk of exploitation.