CVE-2025-54382
Published: 13 August 2025
Summary
CVE-2025-54382 is a critical-severity OS Command Injection (CWE-78) vulnerability in Cherry-Ai Cherry Studio. Its CVSS base score is 9.6 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked in the top 14.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Protocol-Specific Risks risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
Cherry Studio, a desktop client supporting multiple LLM providers, contains a remote code execution vulnerability in version 1.5.1 when connecting to streamableHttp MCP servers. The flaw stems from implicit trust in OAuth authentication redirection endpoints combined with insufficient URL sanitization, classified under CWE-78 as an instance of OS command injection. The vulnerability carries a CVSS 3.1 score of 9.6 reflecting network attack vector, low complexity, no required privileges, and required user interaction that leads to high impact on confidentiality, integrity, and availability with changed scope.
An attacker can exploit the issue by supplying a malicious streamableHttp MCP server URL that triggers unsanitized OAuth redirection handling, resulting in arbitrary code execution on the victim desktop client. Successful exploitation grants the attacker full control over the affected system without needing prior authentication on the target.
The referenced GitHub Security Advisory states that the issue has been resolved in version 1.5.2, indicating that updating to the patched release is the primary mitigation step.
EPSS remains at a modest 0.0238 with no material increase from its recorded peak, providing no indication of emerging exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-24569
Vulnerability details
Cherry Studio is a desktop client that supports for multiple LLM providers. In version 1.5.1, a remote code execution (RCE) vulnerability exists in the Cherry Studio platform when connecting to streamableHttp MCP servers. The issue arises from the server’s implicit…
more
trust in the oauth auth redirection endpoints and failure to properly sanitize the URL. This issue has been patched in version 1.5.2.
- CWE(s)
AI Security AnalysisAI
- AI Category
- AI Agent Protocols and Integrations
- Risk Domain
- Protocol-Specific Risks
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: llm, mcp
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
RCE vulnerability in Cherry Studio desktop client enables exploitation for client execution when connecting to malicious streamableHttp MCP servers via unsanitized OAuth redirection URLs.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of untrusted URL inputs from OAuth redirection endpoints on streamableHttp MCP servers to prevent OS command injection.
Mandates timely patching of the specific RCE flaw in Cherry Studio version 1.5.1, as fixed in version 1.5.2.
Monitors and controls outbound connections from the desktop client to external streamableHttp MCP servers, blocking access to potentially malicious ones.