CVE-2025-61929
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-10

Last updated on: 2025-12-04

Assigner: GitHub, Inc.

Description
Cherry Studio is a desktop client that supports for multiple LLM providers. Cherry Studio registers a custom protocol called `cherrystudio://`. When handling the MCP installation URL, it parses the base64-encoded configuration data and directly executes the command within it. In the files `src/main/services/ProtocolClient.ts` and `src/main/services/urlschema/mcp-install.ts`, when receiving a URL of the `cherrystudio://mcp` type, the `handleMcpProtocolUrl` function is called for processing. If an attacker crafts malicious content and posts it on a website or elsewhere (there are many exploitation methods, such as creating a malicious website with a button containing this malicious content), when the user clicks it, since the pop-up window contains normal content, the direct click is considered a scene action, and the malicious command is directly triggered, leading to the user being compromised. As of time of publication, no known patched versions exist.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-10
Last Modified
2025-12-04
Generated
2026-06-16
AI Q&A
2025-10-10
EPSS Evaluated
2026-06-14
NVD
CVE-2025-61929
EUVD
EUVD-2025-33778
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
cherry-ai cherry_studio to 1.6.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Cherry Studio, a desktop client that supports multiple LLM providers. The application registers a custom protocol 'cherrystudio://'. When handling URLs of the type 'cherrystudio://mcp', it parses base64-encoded configuration data and directly executes commands contained within it. An attacker can craft malicious content, such as a specially crafted URL posted on a website. If a user clicks this malicious link, the command embedded in the URL is executed directly, compromising the user. This happens because the pop-up window appears normal, so the click is treated as a legitimate user action.

Impact Analysis

This vulnerability can lead to severe impacts including full compromise of the user's system. Since the malicious command is executed with user interaction and no privileges are required, an attacker can execute arbitrary commands remotely. The CVSS score of 9.6 indicates high severity with impacts on confidentiality, integrity, and availability, meaning attackers can steal data, alter or destroy data, and disrupt system operations.

Mitigation Strategies

Since no patched versions exist as of the publication date, immediate mitigation steps include educating users to avoid clicking on suspicious links or buttons that use the cherrystudio:// protocol, especially those related to mcp installation URLs. Additionally, consider restricting or monitoring the use of the custom protocol handler 'cherrystudio://' on affected systems to prevent execution of malicious commands.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-61929. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart