CVE-2025-58176

HighPublic PoCRCE

Published: 03 September 2025

Published

03 September 2025

Modified

11 September 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0048 65.3th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-58176 is a high-severity Code Injection (CWE-94) vulnerability in Openagentplatform Dive. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked in the top 34.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Drive-by Compromise (T1189) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly addresses the improper processing of custom 'dive:' URL parameters like 'transport' by requiring validation of format, type, length, and range to prevent arbitrary code execution.

SI-2 Flaw Remediation good match

prevent

Ensures timely identification, reporting, and correction of the RCE flaw fixed through validation and sanitization in Dive version 0.9.4.

SI-3 Malicious Code Protection partial match

preventdetect

Provides defense-in-depth by scanning for and blocking execution of malicious code resulting from exploitation of the vulnerable custom URL handler.

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access

Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.

attack.mitre.org →

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

T1204.001 Malicious Link Execution

An adversary may rely upon a user clicking a malicious link in order to gain execution.

attack.mitre.org →

Why these techniques?

RCE via malicious custom URL scheme directly enables drive-by compromise (T1189) and client-side exploitation (T1203) triggered by malicious links (T1204.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Dive is an open-source MCP Host Desktop Application that enables integration with function-calling LLMs. In versions 0.9.0 through 0.9.3, there is a one-click Remote Code Execution vulnerability triggered through a custom url value, `transport` in the JSON object. An attacker…

can exploit the vulnerability in the following two scenarios: a victim visits a malicious website controlled by the attacker and the website redirect to the URL automatically, or a victim clicks on such a crafted link embedded on a legitimate website (e.g., in user-generated content). In both cases, the browser invokes Dive's custom URL handler (dive:), which launches the Dive app and processes the crafted URL, leading to arbitrary code execution on the victim’s machine. This vulnerability is caused by improper processing of custom url. This is fixed in version 0.9.4.

Deeper analysisAI

CVE-2025-58176 is a remote code execution vulnerability affecting Dive, an open-source MCP Host Desktop Application designed for integration with function-calling large language models (LLMs). The issue impacts versions 0.9.0 through 0.9.3 and stems from improper processing of the custom URL scheme "dive:", specifically the "transport" value within a JSON object in the URL. When processed by the Dive application, this flaw allows arbitrary code execution on the victim's machine. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and is classified under CWE-94 (Improper Control of Generation of Code).

Attackers can exploit this vulnerability remotely without privileges by tricking victims into interacting with a malicious "dive:" URL. This occurs in two primary scenarios: a victim visits an attacker-controlled website that automatically redirects to the crafted URL, or the victim clicks a specially crafted link embedded in user-generated content on a legitimate site. In both cases, the browser invokes Dive's custom URL handler, launching the application and executing the malicious payload, resulting in full arbitrary code execution with the application's permissions on the victim's local system.

The GitHub security advisory (GHSA-2r34-7pgx-vvrc) and associated commit (acae6d40354d380f69f8241e9122a43ff64cff11) confirm the vulnerability has been fixed in Dive version 0.9.4 through proper validation and sanitization of the custom URL parameters. Security practitioners should advise users to update to 0.9.4 or later and consider disabling or restricting custom URL handlers for Dive until patched.

This vulnerability is particularly relevant in AI/ML contexts, as Dive facilitates LLM function-calling integrations on desktops, potentially exposing users of AI agent platforms to drive-by or social engineering attacks. No public evidence of real-world exploitation has been reported as of the CVE publication on 2025-09-03.