CVE-2025-55204
Published: 05 January 2026
Summary
CVE-2025-55204 is a high-severity Code Injection (CWE-94) vulnerability in Muffon Muffon. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked in the top 33.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the RCE vulnerability by requiring timely patching of the flawed muffon:// URL handler as fixed in version 2.3.0.
Addresses the root cause by enforcing validation of inputs processed by the custom URL handler to block malicious code injection.
Provides malicious code protection at system entry points to detect and eradicate code executed from exploited muffon:// links.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2025-55204 enables remote code execution by exploiting a vulnerability in the Muffon desktop client's custom URL handler, directly facilitating T1203: Exploitation for Client Execution via malicious muffon:// links from websites.
NVD Description
muffon is a cross-platform music streaming client for desktop. Versions prior to 2.3.0 have a one-click Remote Code Execution (RCE) vulnerability in. An attacker can exploit this issue by embedding a specially crafted `muffon://` link on any website they control.…
more
When a victim visits the site or clicks the link, the browser triggers Muffon’s custom URL handler, causing the application to launch and process the URL. This leads to RCE on the victim's machine without further interaction. Version 2.3.0 patches the issue.
Deeper analysisAI
CVE-2025-55204 is a one-click remote code execution (RCE) vulnerability affecting Muffon, a cross-platform music streaming client for desktop environments. Versions prior to 2.3.0 are vulnerable due to insufficient validation in the application's custom URL handler for muffon:// scheme links. The issue is classified under CWE-94 (code injection) and CWE-79 (cross-site scripting), with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high severity from network-accessible exploitation requiring minimal user interaction.
An attacker who controls a website can embed a specially crafted muffon:// link, which triggers when a victim visits the site or clicks the link. This causes the victim's browser to invoke Muffon's custom URL handler, launching the application and processing the malicious payload, resulting in arbitrary code execution on the victim's machine without additional interaction. No attacker privileges are required, enabling unauthenticated remote exploitation against users with Muffon installed.
The GitHub security advisory (GHSA-gc3f-gqph-522q) and release notes for version 2.3.0 confirm that updating to Muffon 2.3.0 fully patches the vulnerability by addressing the URL handler flaw. Practitioners should advise users to upgrade immediately and avoid clicking untrusted muffon:// links, with a proof-of-concept available via the referenced Google Drive file for testing purposes.
Details
- CWE(s)