CVE-2025-54063

8.0 HIGH
Published: August 11, 2025 Modified: December 02, 2025
View on NVD

Description

Cherry Studio is a desktop client that supports for multiple LLM providers. From versions 1.4.8 to 1.5.0, there is a one-click remote code execution vulnerability through the custom URL handling. An attacker can exploit this by hosting a malicious website or embedding a specially crafted URL on any website. If a victim clicks the exploit link in their browser, the appโ€™s custom URL handler is triggered, leading to remote code execution on the victimโ€™s machine. This issue has been patched in version 1.5.1.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://github.com/CherryHQ/cherry-studio/commit/ff72c007c03ff47de21a4d0bf52a1ff1fb35cd89
Source: security-advisories@github.com
Patch
https://github.com/CherryHQ/cherry-studio/pull/8218
Source: security-advisories@github.com
Patch
https://github.com/CherryHQ/cherry-studio/security/advisories/GHSA-p6vw-w3p8-4g72
Source: security-advisories@github.com
Exploit Vendor Advisory

3 reference(s) from NVD

Quick Stats

CVSS v3 Score
8.0 / 10.0
EPSS (Exploit Probability)
0.4%
59th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-94

Affected Vendors

cherry-ai

Related CVEs

CVE-2026-2072 8.2
CVE-2026-1166 4.3
CVE-2026-4784 7.3
CVE-2026-4766 6.4
CVE-2026-4783 6.3