Search criteria
4 vulnerabilities by cherry-ai
CVE-2025-61929 (GCVE-0-2025-61929)
Vulnerability from cvelistv5 – Published: 2025-10-10 19:50 – Updated: 2025-10-10 20:46
VLAI?
Title
Cherry Studio allows one-click on a specific URL to cause a command to execute
Summary
Cherry Studio is a desktop client that supports for multiple LLM providers. Cherry Studio registers a custom protocol called `cherrystudio://`. When handling the MCP installation URL, it parses the base64-encoded configuration data and directly executes the command within it. In the files `src/main/services/ProtocolClient.ts` and `src/main/services/urlschema/mcp-install.ts`, when receiving a URL of the `cherrystudio://mcp` type, the `handleMcpProtocolUrl` function is called for processing. If an attacker crafts malicious content and posts it on a website or elsewhere (there are many exploitation methods, such as creating a malicious website with a button containing this malicious content), when the user clicks it, since the pop-up window contains normal content, the direct click is considered a scene action, and the malicious command is directly triggered, leading to the user being compromised. As of time of publication, no known patched versions exist.
Severity ?
9.7 (Critical)
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| CherryHQ | cherry-studio |
Affected:
<= 1.7.0-alpha.4
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-61929",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-10T20:45:19.405302Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-10T20:46:08.118Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "cherry-studio",
"vendor": "CherryHQ",
"versions": [
{
"status": "affected",
"version": "\u003c= 1.7.0-alpha.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cherry Studio is a desktop client that supports for multiple LLM providers. Cherry Studio registers a custom protocol called `cherrystudio://`. When handling the MCP installation URL, it parses the base64-encoded configuration data and directly executes the command within it. In the files `src/main/services/ProtocolClient.ts` and `src/main/services/urlschema/mcp-install.ts`, when receiving a URL of the `cherrystudio://mcp` type, the `handleMcpProtocolUrl` function is called for processing. If an attacker crafts malicious content and posts it on a website or elsewhere (there are many exploitation methods, such as creating a malicious website with a button containing this malicious content), when the user clicks it, since the pop-up window contains normal content, the direct click is considered a scene action, and the malicious command is directly triggered, leading to the user being compromised. As of time of publication, no known patched versions exist."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.7,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-10T19:50:14.036Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/CherryHQ/cherry-studio/security/advisories/GHSA-hh6w-rmjc-26f6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/CherryHQ/cherry-studio/security/advisories/GHSA-hh6w-rmjc-26f6"
}
],
"source": {
"advisory": "GHSA-hh6w-rmjc-26f6",
"discovery": "UNKNOWN"
},
"title": "Cherry Studio allows one-click on a specific URL to cause a command to execute"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-61929",
"datePublished": "2025-10-10T19:50:14.036Z",
"dateReserved": "2025-10-03T22:21:59.617Z",
"dateUpdated": "2025-10-10T20:46:08.118Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-54382 (GCVE-0-2025-54382)
Vulnerability from cvelistv5 – Published: 2025-08-13 13:31 – Updated: 2025-08-13 14:10
VLAI?
Title
Cherry Studio RCE Vulnerability Disclosure
Summary
Cherry Studio is a desktop client that supports for multiple LLM providers. In version 1.5.1, a remote code execution (RCE) vulnerability exists in the Cherry Studio platform when connecting to streamableHttp MCP servers. The issue arises from the server’s implicit trust in the oauth auth redirection endpoints and failure to properly sanitize the URL. This issue has been patched in version 1.5.2.
Severity ?
9.7 (Critical)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| CherryHQ | cherry-studio |
Affected:
= 1.5.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54382",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-13T14:08:20.033580Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-13T14:10:43.740Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "cherry-studio",
"vendor": "CherryHQ",
"versions": [
{
"status": "affected",
"version": "= 1.5.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cherry Studio is a desktop client that supports for multiple LLM providers. In version 1.5.1, a remote code execution (RCE) vulnerability exists in the Cherry Studio platform when connecting to streamableHttp MCP servers. The issue arises from the server\u2019s implicit trust in the oauth auth redirection endpoints and failure to properly sanitize the URL. This issue has been patched in version 1.5.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.7,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-13T13:31:13.532Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/CherryHQ/cherry-studio/security/advisories/GHSA-gjp6-9cvg-8w93",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/CherryHQ/cherry-studio/security/advisories/GHSA-gjp6-9cvg-8w93"
}
],
"source": {
"advisory": "GHSA-gjp6-9cvg-8w93",
"discovery": "UNKNOWN"
},
"title": "Cherry Studio RCE Vulnerability Disclosure"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-54382",
"datePublished": "2025-08-13T13:31:13.532Z",
"dateReserved": "2025-07-21T16:12:20.734Z",
"dateUpdated": "2025-08-13T14:10:43.740Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-54074 (GCVE-0-2025-54074)
Vulnerability from cvelistv5 – Published: 2025-08-13 13:27 – Updated: 2025-08-13 14:15
VLAI?
Title
Cherry Studio is Vulnerable to OS Command Injection during Connection with a Malicious MCP Server
Summary
Cherry Studio is a desktop client that supports for multiple LLM providers. From versions 1.2.5 to 1.5.1, Cherry Studio is vulnerable to OS Command Injection during a connection with a malicious MCP server in HTTP Streamable mode. Attackers can setup a malicious MCP server with compatible OAuth authorization server endpoints and trick victims into connecting it, leading to OS command injection in vulnerable clients. This issue has been patched in version 1.5.2.
Severity ?
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| CherryHQ | cherry-studio |
Affected:
>= 1.2.5, < 1.5.2
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54074",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-13T14:15:04.480739Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-13T14:15:16.261Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "cherry-studio",
"vendor": "CherryHQ",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.2.5, \u003c 1.5.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cherry Studio is a desktop client that supports for multiple LLM providers. From versions 1.2.5 to 1.5.1, Cherry Studio is vulnerable to OS Command Injection during a connection with a malicious MCP server in HTTP Streamable mode. Attackers can setup a malicious MCP server with compatible OAuth authorization server endpoints and trick victims into connecting it, leading to OS command injection in vulnerable clients. This issue has been patched in version 1.5.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-13T13:27:28.232Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/CherryHQ/cherry-studio/security/advisories/GHSA-8xr5-732g-84px",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/CherryHQ/cherry-studio/security/advisories/GHSA-8xr5-732g-84px"
},
{
"name": "https://github.com/CherryHQ/cherry-studio/commit/40f9601379150854826ff3572ef7372fb0acdc38",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/CherryHQ/cherry-studio/commit/40f9601379150854826ff3572ef7372fb0acdc38"
}
],
"source": {
"advisory": "GHSA-8xr5-732g-84px",
"discovery": "UNKNOWN"
},
"title": "Cherry Studio is Vulnerable to OS Command Injection during Connection with a Malicious MCP Server"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-54074",
"datePublished": "2025-08-13T13:27:28.232Z",
"dateReserved": "2025-07-16T13:22:18.205Z",
"dateUpdated": "2025-08-13T14:15:16.261Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-54063 (GCVE-0-2025-54063)
Vulnerability from cvelistv5 – Published: 2025-08-11 17:59 – Updated: 2025-08-11 18:15
VLAI?
Title
Cherry Studio One-click Remote Code Execution Vulnerability through Custom URL Handling
Summary
Cherry Studio is a desktop client that supports for multiple LLM providers. From versions 1.4.8 to 1.5.0, there is a one-click remote code execution vulnerability through the custom URL handling. An attacker can exploit this by hosting a malicious website or embedding a specially crafted URL on any website. If a victim clicks the exploit link in their browser, the app’s custom URL handler is triggered, leading to remote code execution on the victim’s machine. This issue has been patched in version 1.5.1.
Severity ?
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| CherryHQ | cherry-studio |
Affected:
>= 1.4.8, < 1.5.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54063",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-11T18:15:31.571603Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-11T18:15:43.581Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "cherry-studio",
"vendor": "CherryHQ",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.4.8, \u003c 1.5.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cherry Studio is a desktop client that supports for multiple LLM providers. From versions 1.4.8 to 1.5.0, there is a one-click remote code execution vulnerability through the custom URL handling. An attacker can exploit this by hosting a malicious website or embedding a specially crafted URL on any website. If a victim clicks the exploit link in their browser, the app\u2019s custom URL handler is triggered, leading to remote code execution on the victim\u2019s machine. This issue has been patched in version 1.5.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-11T17:59:40.626Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/CherryHQ/cherry-studio/security/advisories/GHSA-p6vw-w3p8-4g72",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/CherryHQ/cherry-studio/security/advisories/GHSA-p6vw-w3p8-4g72"
},
{
"name": "https://github.com/CherryHQ/cherry-studio/pull/8218",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/CherryHQ/cherry-studio/pull/8218"
},
{
"name": "https://github.com/CherryHQ/cherry-studio/commit/ff72c007c03ff47de21a4d0bf52a1ff1fb35cd89",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/CherryHQ/cherry-studio/commit/ff72c007c03ff47de21a4d0bf52a1ff1fb35cd89"
}
],
"source": {
"advisory": "GHSA-p6vw-w3p8-4g72",
"discovery": "UNKNOWN"
},
"title": "Cherry Studio One-click Remote Code Execution Vulnerability through Custom URL Handling"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-54063",
"datePublished": "2025-08-11T17:59:40.626Z",
"dateReserved": "2025-07-16T13:22:18.204Z",
"dateUpdated": "2025-08-11T18:15:43.581Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}