CVE-2025-54074
Published: 13 August 2025
Summary
CVE-2025-54074 is a high-severity OS Command Injection (CWE-78) vulnerability in Cherry-Ai Cherry Studio. Its CVSS base score is 7.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Command and Scripting Interpreter (T1059); ranked in the top 5.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Protocol-Specific Risks risk domain.
The strongest mitigations our analysis identified are NIST 800-53 IA-9 (Service Identification and Authentication) and SI-10 (Information Input Validation).
Deeper analysis
Cherry Studio is a desktop client supporting multiple LLM providers and is affected by an OS command injection vulnerability (CWE-78) in versions 1.2.5 through 1.5.1. The flaw occurs during connection to an MCP server operating in HTTP Streamable mode, where the client fails to safely handle responses from a malicious authorization server endpoint.
An attacker who controls a compatible MCP server can exploit the issue by crafting OAuth authorization responses that inject arbitrary OS commands. Victims are tricked into initiating a connection to the malicious server, after which the attacker can achieve code execution on the client system with impacts to confidentiality, integrity, and availability.
The vulnerability is addressed in the patch released as version 1.5.2. The corresponding GitHub security advisory and commit 40f9601 document the fix and recommend that users upgrade immediately. The EPSS score has remained flat at 0.1261 with no observed rise after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-24562
Vulnerability details
Cherry Studio is a desktop client that supports for multiple LLM providers. From versions 1.2.5 to 1.5.1, Cherry Studio is vulnerable to OS Command Injection during a connection with a malicious MCP server in HTTP Streamable mode. Attackers can setup…
more
a malicious MCP server with compatible OAuth authorization server endpoints and trick victims into connecting it, leading to OS command injection in vulnerable clients. This issue has been patched in version 1.5.2.
- CWE(s)
AI Security AnalysisAI
- AI Category
- AI Agent Protocols and Integrations
- Risk Domain
- Protocol-Specific Risks
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: llm, mcp
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The OS command injection vulnerability in Cherry Studio client enables adversaries to execute arbitrary OS commands (T1059) by tricking users into connecting to a malicious MCP server, facilitating exploitation for client-side code execution (T1203).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the CVE by requiring timely remediation through patching to version 1.5.2, which fixes the OS command injection flaw.
Prevents OS command injection by validating and sanitizing untrusted inputs received from MCP servers in HTTP Streamable mode.
Blocks connections to malicious MCP servers by requiring authentication of external LLM provider services before establishing sessions.