CVE-2025-54382
Published: 13 August 2025
Summary
CVE-2025-54382 is a critical-severity OS Command Injection (CWE-78) vulnerability in Cherry-Ai Cherry Studio. Its CVSS base score is 9.6 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked in the top 24.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as Other Platforms; in the Protocol-Specific Risks risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation and sanitization of untrusted URL inputs from OAuth redirection endpoints on streamableHttp MCP servers to prevent OS command injection.
Mandates timely patching of the specific RCE flaw in Cherry Studio version 1.5.1, as fixed in version 1.5.2.
Monitors and controls outbound connections from the desktop client to external streamableHttp MCP servers, blocking access to potentially malicious ones.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
RCE vulnerability in Cherry Studio desktop client enables exploitation for client execution when connecting to malicious streamableHttp MCP servers via unsanitized OAuth redirection URLs.
NVD Description
Cherry Studio is a desktop client that supports for multiple LLM providers. In version 1.5.1, a remote code execution (RCE) vulnerability exists in the Cherry Studio platform when connecting to streamableHttp MCP servers. The issue arises from the server’s implicit…
more
trust in the oauth auth redirection endpoints and failure to properly sanitize the URL. This issue has been patched in version 1.5.2.
Deeper analysisAI
CVE-2025-54382 is a remote code execution (RCE) vulnerability in Cherry Studio, a desktop client that supports multiple LLM providers. The issue affects version 1.5.1 of the Cherry Studio platform specifically when connecting to streamableHttp MCP servers. It stems from the server's implicit trust in OAuth authentication redirection endpoints combined with a failure to properly sanitize URLs, mapped to CWE-78 (OS Command Injection). The vulnerability carries a CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H) and was published on 2025-08-13.
A remote attacker can exploit this vulnerability by luring a user into connecting to a malicious streamableHttp MCP server, which requires user interaction such as clicking a link or initiating a connection but no prior privileges. Upon successful exploitation, the attacker achieves RCE on the victim's desktop system, granting high-impact access to compromise confidentiality, integrity, and availability.
The vulnerability has been patched in Cherry Studio version 1.5.2. Additional details on the issue and mitigation are available in the GitHub security advisory at https://github.com/CherryHQ/cherry-studio/security/advisories/GHSA-gjp6-9cvg-8w93.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- Other Platforms
- Risk Domain
- Protocol-Specific Risks
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Cherry Studio is a desktop client supporting multiple LLM providers, functioning as an enterprise-level AI assistant interface for interacting with LLMs.