CVE-2025-61929
October 10, 2025
Cherry Studio is a desktop client that supports for multiple LLM providers. Cherry Studio registers a custom protocol called "cherrystudio://". When handling the MCP installation URL, it parses the base64-encoded configuration data and directly executes the command within it. In the files "src/main/services/ProtocolClient.ts" and "src/main/services/urlschema/mcp-install.ts", when receiving a URL of the "cherrystudio://mcp" type, the "handleMcpProtocolUrl" function is called for processing. If an attacker crafts malicious content and posts it on a website or elsewhere (there are many exploitation methods, such as creating a malicious website with a button containing this malicious content), when the user clicks it, since the pop-up window contains normal content, the direct click is considered a scene action, and the malicious command is directly triggered, leading to the user being compromised. As of time of publication, no known patched versions exist.
Affected Packages
https://github.com/CherryHQ/cherry-studio.git (GITHUB):
Affected version(s) >=v0.2.0 <v1.6.4Fix Suggestion:
Update to version v1.6.4Related ResourcesĀ (1)
Do you need more information?
Contact UsCVSS v4
Base Score:
9.4
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
PASSIVE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
HIGH
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
HIGH
Subsequent System Integrity
HIGH
Subsequent System Availability
HIGH
CVSS v3
Base Score:
9.6
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH
Weakness Type (CWE)
Improper Control of Generation of Code ('Code Injection')
EPSS
Base Score:
0.07
