CVE-2025-54074
Published: 13 August 2025
Summary
CVE-2025-54074 is a critical-severity OS Command Injection (CWE-78) vulnerability in Cherry-Ai Cherry Studio. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Command and Scripting Interpreter (T1059); ranked in the top 12.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as Other Platforms; in the Protocol-Specific Risks risk domain.
The strongest mitigations our analysis identified are NIST 800-53 IA-9 (Service Identification and Authentication) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the CVE by requiring timely remediation through patching to version 1.5.2, which fixes the OS command injection flaw.
Prevents OS command injection by validating and sanitizing untrusted inputs received from MCP servers in HTTP Streamable mode.
Blocks connections to malicious MCP servers by requiring authentication of external LLM provider services before establishing sessions.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The OS command injection vulnerability in Cherry Studio client enables adversaries to execute arbitrary OS commands (T1059) by tricking users into connecting to a malicious MCP server, facilitating exploitation for client-side code execution (T1203).
NVD Description
Cherry Studio is a desktop client that supports for multiple LLM providers. From versions 1.2.5 to 1.5.1, Cherry Studio is vulnerable to OS Command Injection during a connection with a malicious MCP server in HTTP Streamable mode. Attackers can setup…
more
a malicious MCP server with compatible OAuth authorization server endpoints and trick victims into connecting it, leading to OS command injection in vulnerable clients. This issue has been patched in version 1.5.2.
Deeper analysisAI
CVE-2025-54074 is an OS command injection vulnerability (CWE-78) affecting Cherry Studio, a desktop client that supports multiple LLM providers. The issue impacts versions 1.2.5 through 1.5.1 and occurs during connections to a malicious MCP server when operating in HTTP Streamable mode. Published on 2025-08-13 with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), it allows attackers to execute arbitrary operating system commands on vulnerable clients.
Attackers can exploit this vulnerability remotely without privileges or user interaction by setting up a malicious MCP server with compatible OAuth authorization server endpoints. Victims can then be tricked into connecting to this server, enabling full OS command injection. Successful exploitation grants attackers high-impact access to confidentiality, integrity, and availability on the victim's system.
The vulnerability has been addressed in Cherry Studio version 1.5.2. Official mitigation details are available in the GitHub security advisory (GHSA-8xr5-732g-84px) and the patching commit (40f9601379150854826ff3572ef7372fb0acdc38).
As a client for LLM providers, Cherry Studio's vulnerability highlights risks in AI/ML desktop tools connecting to untrusted servers, though no real-world exploitation has been reported.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- Other Platforms
- Risk Domain
- Protocol-Specific Risks
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Cherry Studio is a desktop client supporting multiple LLM providers, fitting the Enterprise AI Assistants category as it acts as an AI assistant interface for LLMs.