Lucene search
+L
Cherry-aiCherry Studio

4 matches found

cve
cve
added 2025/10/10 7:50 p.m.39 views

CVE-2025-61929

Cherry Studio is affected by a code-injection vulnerability where the cherrystudio://mcp protocol handler parses base64-encoded configuration data and directly executes the contained command. Affected component paths include src/main/services/ProtocolClient.ts and src/main/services/urlschema/mcp-...

9.6CVSS6.6AI score0.00439EPSS
Web
cve
cve
added 2025/08/11 5:59 p.m.27 views

CVE-2025-54063

CVE-2025-54063 affects Cherry Studio desktop client (versions 1.4.8–1.5.0) due to improper handling of custom URLs, enabling remote code execution when a user clicks a crafted link or visits a malicious site. The underlying vulnerability is triggered by the app’s custom URL handler, leading to co...

9.6CVSS8AI score0.00759EPSS
cve
cve
added 2025/08/13 1:27 p.m.26 views

CVE-2025-54074

CVE-2025-54074 affects Cherry Studio desktop client, versions 1.2.5–1.5.1, which are vulnerable to OS command injection when connecting to a malicious MCP server over HTTP Streamable mode. The underlying issue arises during the OAuth-enabled connection process, allowing an attacker-controlled MCP...

9.8CVSS8.1AI score0.02144EPSS
cve
cve
added 2025/08/13 1:31 p.m.26 views

CVE-2025-54382

Cherry Studio (desktop client) version 1.5.1 is affected by an RCE vulnerability when connecting to streamableHttp MCP servers due to the server’s implicit trust in OAuth redirection URLs and improper URL sanitization. The issue is mitigated by upgrading to version 1.5.2. Exploitation status is n...

9.6CVSS8.1AI score0.05835EPSS