CVE-2025-54063
BaseFortify
Publication date: 2025-08-11
Last updated on: 2025-12-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cherry-ai | cherry_studio | From 1.4.8 (inc) to 1.5.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-54063 is a high-severity remote code execution vulnerability in Cherry Studio versions 1.4.8 to 1.5.0. It arises from improper handling of the app's custom URL scheme, where clicking a specially crafted URL triggers the app's custom URL handler. This leads to execution of attacker-controlled JavaScript in the renderer process, which can exploit exposed Node.js IPC services to write and execute malicious code on the victim's machine. The attack requires only user interaction (clicking the link) and no special privileges or prior authentication. The vulnerability was patched in version 1.5.1. [3]
How can this vulnerability impact me? :
This vulnerability can allow an attacker to execute arbitrary code on your machine with your user privileges by tricking you into clicking a malicious URL. The attacker can overwrite existing executable files with malicious scripts and then execute them, potentially leading to unauthorized access, data compromise, or system manipulation. Since the attack requires only user interaction and no special privileges, it poses a significant security risk to affected users. [3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for the presence or use of the vulnerable Cherry Studio versions (1.4.8 to 1.5.0) and by detecting if the custom URL scheme `cherrystudio://` is being invoked with suspicious or malformed parameters. Since exploitation requires user interaction with a specially crafted URL, network detection could involve inspecting HTTP logs or browser history for URLs starting with `cherrystudio://` containing base64-encoded or unusual parameters. On the system, checking the installed Cherry Studio version can be done by running commands to query the application version. For example, on macOS, you can check the app version with: `defaults read /Applications/Cherry\ Studio.app/Contents/Info CFBundleShortVersionString`. Additionally, monitoring for unexpected modifications to the file `/Applications/Cherry Studio.app/Contents/Frameworks/Mantle.framework/Versions/A/Mantle` or the creation of suspicious files like `~/pwnd` could indicate exploitation. There are no explicit commands provided in the resources, but these approaches align with the vulnerability details. [3]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Cherry Studio to version 1.5.1 or later, where the vulnerability has been patched by improving the parsing and handling of the custom URL scheme to prevent remote code execution. If upgrading is not immediately possible, users should avoid clicking on any `cherrystudio://` URLs from untrusted sources and disable or restrict the use of the custom URL handler if feasible. Monitoring and restricting network access to malicious websites hosting exploit URLs can also help. Applying the patch from the official repository or update channel is the recommended and most effective mitigation. [1, 2, 3]