CVE-2025-54382 Overview
CVE-2025-54382 is a Remote Code Execution (RCE) vulnerability affecting Cherry Studio, a desktop client that supports multiple LLM (Large Language Model) providers. The vulnerability exists in version 1.5.1 when connecting to streamableHttp MCP servers. The issue arises from the server's implicit trust in OAuth authentication redirection endpoints and failure to properly sanitize the URL, allowing attackers to execute arbitrary commands on affected systems.
Critical Impact
This vulnerability enables remote attackers to achieve arbitrary code execution on systems running vulnerable Cherry Studio versions by exploiting improper URL sanitization in OAuth redirection handling.
Affected Products
- Cherry-ai Cherry Studio version 1.5.1
- Systems connecting to streamableHttp MCP servers via Cherry Studio
Discovery Timeline
- August 13, 2025 - CVE CVE-2025-54382 published to NVD
- December 1, 2025 - Last updated in NVD database
Technical Details for CVE-2025-54382
Vulnerability Analysis
This Command Injection vulnerability (CWE-78) stems from Cherry Studio's handling of OAuth authentication redirections when connecting to streamableHttp MCP servers. The application implicitly trusts redirection endpoints without validating or sanitizing the URL parameters, creating an attack surface for malicious code execution.
When a user initiates a connection to an MCP server through Cherry Studio, the OAuth flow redirects the user through authentication endpoints. An attacker can craft a malicious URL that exploits this trust relationship, injecting arbitrary commands that execute in the context of the application. This represents a network-accessible attack that requires user interaction but no prior authentication or elevated privileges.
Root Cause
The root cause of this vulnerability is the lack of proper input validation and URL sanitization in the OAuth redirection flow. Cherry Studio version 1.5.1 fails to validate that redirection URLs conform to expected patterns or trusted domains before processing them. This allows attackers to inject command sequences into the URL that are subsequently executed by the underlying operating system.
Attack Vector
The attack vector is network-based and requires user interaction. An attacker can exploit this vulnerability by:
- Setting up a malicious MCP server or compromising an existing one
- Crafting a specially formed OAuth redirection URL containing injected commands
- Luring a victim to connect to the malicious server through Cherry Studio
- When the OAuth flow processes the malicious redirection, the injected commands execute
The vulnerability manifests in the OAuth redirection handling mechanism where URL parameters are not properly sanitized before being processed. For detailed technical information, see the GitHub Security Advisory.
Detection Methods for CVE-2025-54382
Indicators of Compromise
- Unexpected outbound connections from Cherry Studio to unknown or suspicious MCP servers
- Anomalous process spawning from the Cherry Studio application process
- Unusual command-line activity initiated by the Cherry Studio executable
- Network traffic to untrusted OAuth redirection endpoints
Detection Strategies
- Monitor for suspicious URL patterns in Cherry Studio network traffic, particularly in OAuth redirection flows
- Implement application whitelisting to detect unauthorized process execution from Cherry Studio
- Deploy endpoint detection rules to identify command injection patterns in application arguments
- Review Cherry Studio connection logs for connections to unrecognized MCP servers
Monitoring Recommendations
- Enable verbose logging for Cherry Studio network connections and OAuth flows
- Configure SIEM alerts for command injection indicators originating from desktop LLM clients
- Monitor for child processes spawned by Cherry Studio that do not match expected behavior
- Track MCP server connections and maintain an allowlist of trusted servers
How to Mitigate CVE-2025-54382
Immediate Actions Required
- Upgrade Cherry Studio to version 1.5.2 or later immediately
- Audit existing MCP server connections for any suspicious or unrecognized servers
- Review system logs for any indicators of prior exploitation
- Temporarily disconnect from untrusted MCP servers until the patch is applied
Patch Information
Cherry-ai has addressed this vulnerability in Cherry Studio version 1.5.2. The patch implements proper URL validation and sanitization for OAuth redirection endpoints, preventing command injection attacks. Users should update to version 1.5.2 or later to remediate this vulnerability. For complete details, refer to the GitHub Security Advisory.
Workarounds
- Restrict Cherry Studio connections to only known and trusted MCP servers
- Implement network-level controls to block connections to untrusted OAuth endpoints
- Use application firewall rules to limit Cherry Studio's outbound network access
- Consider disabling streamableHttp MCP server connections until patched
# Example: Restrict network access for Cherry Studio (Linux firewall)
# Only allow connections to trusted MCP server domains
iptables -A OUTPUT -p tcp -m owner --cmd-owner cherry-studio -d trusted-mcp-server.example.com -j ACCEPT
iptables -A OUTPUT -p tcp -m owner --cmd-owner cherry-studio --dport 443 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
