CVE-2025-55204
Unknown Unknown - Not Provided
Remote Code Execution in Muffon via Malicious URL Handler

Publication date: 2026-01-05

Last updated on: 2026-01-05

Assigner: GitHub, Inc.

Description
muffon is a cross-platform music streaming client for desktop. Versions prior to 2.3.0 have a one-click Remote Code Execution (RCE) vulnerability in. An attacker can exploit this issue by embedding a specially crafted `muffon://` link on any website they control. When a victim visits the site or clicks the link, the browser triggers Muffon’s custom URL handler, causing the application to launch and process the URL. This leads to RCE on the victim's machine without further interaction. Version 2.3.0 patches the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-05
Last Modified
2026-01-05
Generated
2026-06-16
AI Q&A
2026-01-05
EPSS Evaluated
2026-06-15
NVD
CVE-2025-55204
EUVD
EUVD-2025-206240
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
staniel359 muffon to 2.3.0 (exc)
staniel359 muffon 2.3.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-55204 is a high-severity Remote Code Execution (RCE) vulnerability in Muffon versions prior to 2.3.0. It arises from multiple Cross-Site Scripting (XSS) flaws combined with insecure handling of Muffon's custom URL scheme (muffon://). Attackers can embed specially crafted muffon:// links on websites they control. When a victim clicks or visits such a link, the browser launches Muffon and loads an internal page containing malicious XSS payloads without the user's awareness. These payloads exploit Electron APIs to execute arbitrary code on the victim's machine, enabling one-click RCE without further interaction. [3]

Compliance Impact

The provided resources do not contain information regarding the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Impact Analysis

This vulnerability can lead to Remote Code Execution on your machine without your further interaction beyond clicking or visiting a malicious link. An attacker can execute arbitrary files or code on your system, potentially compromising confidentiality, integrity, and availability of your data and system. This could result in unauthorized access, data theft, system manipulation, or disruption of services. [3]

Detection Guidance

Detection can focus on monitoring for usage or invocation of the custom URL scheme 'muffon://' which triggers the vulnerable application. On a system, you can check if Muffon versions prior to 2.3.0 are installed. Network detection could involve monitoring HTTP traffic for suspicious 'muffon://' links being accessed or delivered. Specific commands might include searching browser history or logs for 'muffon://' URLs, or checking installed Muffon version via command line. For example, on Linux, you might run 'muffon --version' or check package manager info. However, no explicit detection commands are provided in the resources. [3]

Mitigation Strategies

The immediate mitigation step is to upgrade Muffon to version 2.3.0 or later, as this version patches the vulnerability. Additionally, avoid clicking on or visiting untrusted websites that may contain malicious 'muffon://' links. If possible, disable or restrict the handling of the 'muffon://' custom URL scheme until the update is applied. [3, 1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-55204. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart