Cyber Resilience

CVE-2025-54382

CriticalPublic PoCRCE

Published: 13 August 2025

Published
13 August 2025
Modified
01 December 2025
KEV Added
Patch
CVSS Score v3.1 9.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0238 85.3th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-54382 is a critical-severity OS Command Injection (CWE-78) vulnerability in Cherry-Ai Cherry Studio. Its CVSS base score is 9.6 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked in the top 14.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Protocol-Specific Risks risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

Cherry Studio, a desktop client supporting multiple LLM providers, contains a remote code execution vulnerability in version 1.5.1 when connecting to streamableHttp MCP servers. The flaw stems from implicit trust in OAuth authentication redirection endpoints combined with insufficient URL sanitization, classified under CWE-78 as an instance of OS command injection. The vulnerability carries a CVSS 3.1 score of 9.6 reflecting network attack vector, low complexity, no required privileges, and required user interaction that leads to high impact on confidentiality, integrity, and availability with changed scope.

An attacker can exploit the issue by supplying a malicious streamableHttp MCP server URL that triggers unsanitized OAuth redirection handling, resulting in arbitrary code execution on the victim desktop client. Successful exploitation grants the attacker full control over the affected system without needing prior authentication on the target.

The referenced GitHub Security Advisory states that the issue has been resolved in version 1.5.2, indicating that updating to the patched release is the primary mitigation step.

EPSS remains at a modest 0.0238 with no material increase from its recorded peak, providing no indication of emerging exploitation interest after disclosure.

EU & UK References

Vulnerability details

Cherry Studio is a desktop client that supports for multiple LLM providers. In version 1.5.1, a remote code execution (RCE) vulnerability exists in the Cherry Studio platform when connecting to streamableHttp MCP servers. The issue arises from the server’s implicit…

more

trust in the oauth auth redirection endpoints and failure to properly sanitize the URL. This issue has been patched in version 1.5.2.

CWE(s)

AI Security AnalysisAI

AI Category
AI Agent Protocols and Integrations
Risk Domain
Protocol-Specific Risks
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: llm, mcp

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

RCE vulnerability in Cherry Studio desktop client enables exploitation for client execution when connecting to malicious streamableHttp MCP servers via unsanitized OAuth redirection URLs.

CVEs Like This One

CVE-2025-54074Same product: Cherry-Ai Cherry Studio
CVE-2025-54063Same product: Cherry-Ai Cherry Studio
CVE-2025-54135Shared CWE-78
CVE-2025-54136Shared CWE-78
CVE-2025-61591Shared CWE-78
CVE-2025-64106Shared CWE-78
CVE-2026-24844Shared CWE-78
CVE-2025-64109Shared CWE-78
CVE-2025-1244Shared CWE-78
CVE-2026-41015Shared CWE-78

Affected Assets

cherry-ai
cherry studio
≤ 1.5.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of untrusted URL inputs from OAuth redirection endpoints on streamableHttp MCP servers to prevent OS command injection.

prevent

Mandates timely patching of the specific RCE flaw in Cherry Studio version 1.5.1, as fixed in version 1.5.2.

prevent

Monitors and controls outbound connections from the desktop client to external streamableHttp MCP servers, blocking access to potentially malicious ones.

References