CVE-2025-54074 Overview
Cherry Studio, a popular desktop client supporting multiple Large Language Model (LLM) providers, contains an OS Command Injection vulnerability in versions 1.2.5 through 1.5.1. The vulnerability is exploitable when a user connects to a malicious Model Context Protocol (MCP) server operating in HTTP Streamable mode. Attackers can configure a rogue MCP server with compatible OAuth authorization server endpoints and trick victims into connecting to it, resulting in arbitrary OS command execution on the victim's system.
Critical Impact
Attackers can achieve full remote code execution on systems running vulnerable Cherry Studio versions by luring users to connect to a malicious MCP server, potentially leading to complete system compromise.
Affected Products
- Cherry Studio versions 1.2.5 through 1.5.1
- cherry-ai cherry_studio desktop client
- Systems using Cherry Studio MCP server connections in HTTP Streamable mode
Discovery Timeline
- August 13, 2025 - CVE-2025-54074 published to NVD
- December 02, 2025 - Last updated in NVD database
Technical Details for CVE-2025-54074
Vulnerability Analysis
This vulnerability falls under CWE-78 (Improper Neutralization of Special Elements used in an OS Command), commonly known as OS Command Injection. The flaw exists in how Cherry Studio processes data received from MCP servers when operating in HTTP Streamable mode.
When a user establishes a connection to an MCP server, the application fails to properly sanitize inputs received during the OAuth authorization flow. A malicious actor can craft server responses containing embedded OS commands that are then executed by the Cherry Studio client with the privileges of the running user.
The attack requires user interaction—specifically, the victim must be socially engineered into connecting their Cherry Studio client to an attacker-controlled MCP server. However, once this connection is established, command execution occurs automatically without further user interaction.
Root Cause
The root cause is insufficient input validation and sanitization of data received from MCP server endpoints during the OAuth authorization process. The application trusts and processes server-supplied data without adequately filtering or escaping shell metacharacters, allowing command injection payloads to be executed by the underlying operating system.
Attack Vector
The attack leverages network connectivity to exploit the vulnerability. An attacker must:
- Set up a malicious MCP server with crafted OAuth authorization endpoints
- Convince the victim to connect their Cherry Studio client to this server (via phishing, social engineering, or other means)
- When the victim initiates the connection, the malicious server responds with payloads containing injected OS commands
- Cherry Studio processes these responses without proper sanitization, executing the embedded commands on the victim's system
The vulnerability is exploited over the network and requires the victim to take an active step (connecting to the malicious server), but no authentication is required from the attacker's perspective.
Detection Methods for CVE-2025-54074
Indicators of Compromise
- Unusual outbound network connections from Cherry Studio to unknown or suspicious MCP server endpoints
- Unexpected child processes spawned by the Cherry Studio application
- System command execution patterns inconsistent with normal Cherry Studio operation
- OAuth authorization requests to untrusted or unfamiliar server domains
Detection Strategies
- Monitor process trees for Cherry Studio spawning shell processes (cmd.exe, powershell.exe, /bin/sh, /bin/bash)
- Implement network monitoring to detect connections to non-whitelisted MCP servers
- Deploy endpoint detection rules to identify command injection patterns in application behavior
- Review application logs for suspicious OAuth authorization attempts or malformed server responses
Monitoring Recommendations
- Enable verbose logging for Cherry Studio MCP server connections
- Configure SIEM alerts for command execution anomalies associated with desktop LLM clients
- Implement DNS monitoring to detect connections to newly registered or suspicious domains
- Deploy application allowlisting to restrict which MCP servers users can connect to
How to Mitigate CVE-2025-54074
Immediate Actions Required
- Upgrade Cherry Studio to version 1.5.2 or later immediately
- Audit existing MCP server connections and remove any untrusted or suspicious entries
- Educate users about the risks of connecting to unknown or untrusted MCP servers
- Consider temporarily restricting MCP server connections until the patch is applied
Patch Information
Cherry-ai has released version 1.5.2 which addresses this vulnerability. The fix is available in commit 40f9601379150854826ff3572ef7372fb0acdc38. Organizations should update all Cherry Studio installations to the patched version as soon as possible.
For detailed patch information, refer to the GitHub Security Advisory GHSA-8xr5-732g-84px and the GitHub Commit Update.
Workarounds
- Restrict Cherry Studio network access to only known, trusted MCP servers via firewall rules
- Disable HTTP Streamable mode for MCP connections if the feature is not required
- Implement network segmentation to limit the impact of potential exploitation
- Run Cherry Studio with minimal user privileges to reduce the impact of successful exploitation
# Configuration example
# Restrict Cherry Studio to only connect to trusted MCP servers
# Add to host firewall rules (example for Linux iptables)
iptables -A OUTPUT -p tcp --dport 443 -m owner --uid-owner cherry-studio -d trusted-mcp-server.example.com -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -m owner --uid-owner cherry-studio -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
