CVE-2025-58176 Overview
CVE-2025-58176 is a Remote Code Execution (RCE) vulnerability affecting Dive, an open-source MCP Host Desktop Application that enables integration with function-calling LLMs. The vulnerability exists in versions 0.9.0 through 0.9.3 and is triggered through improper processing of the custom dive: URL scheme, specifically via a malicious transport value in the JSON object. An attacker can achieve one-click arbitrary code execution on a victim's machine by either redirecting them from a malicious website or embedding a crafted link on a legitimate website containing user-generated content.
Critical Impact
One-click Remote Code Execution allows attackers to execute arbitrary code on victim machines through malicious deep links, requiring only minimal user interaction.
Affected Products
- OpenAgentPlatform Dive versions 0.9.0 through 0.9.3
- Dive MCP Host Desktop Application with custom URL handler (dive: scheme)
- Systems with Dive installed as registered URL handler
Discovery Timeline
- 2025-09-03 - CVE-2025-58176 published to NVD
- 2025-09-11 - Last updated in NVD database
Technical Details for CVE-2025-58176
Vulnerability Analysis
This vulnerability is classified as CWE-94 (Improper Control of Generation of Code / Code Injection). The root issue stems from the Dive application's custom URL handler not properly validating and sanitizing input received through deep links. When a user clicks on a malicious dive: protocol link or is redirected to one, the application processes the embedded JSON data without adequate security checks, allowing an attacker to inject arbitrary commands.
The attack requires network access and minimal user interaction—just a single click or automatic redirect. Upon successful exploitation, an attacker gains the ability to execute code with the same privileges as the Dive application, potentially leading to complete compromise of confidentiality, integrity, and availability of the victim's system.
Root Cause
The vulnerability originates from improper processing of custom URL parameters in the Dive application's deep link handler. Specifically, the transport parameter within the JSON object passed through the dive: URL scheme was not properly validated before being used in command execution contexts. This allowed attackers to craft URLs that, when processed, would execute arbitrary code on the victim's machine.
Attack Vector
The attack can be executed through two primary scenarios:
- Malicious Website Redirect: A victim visits an attacker-controlled website that automatically redirects to a crafted dive: URL
- Embedded Link: A victim clicks on a malicious link embedded in user-generated content on a legitimate website
In both cases, the browser invokes Dive's custom URL handler, which launches the Dive application and processes the crafted URL without proper validation, leading to arbitrary code execution.
The security patch introduces a confirmation popup that requires explicit user approval before processing stdio MCP server installation requests via deep links:
import { router } from "./router"
import { useAtom, useAtomValue, useSetAtom } from "jotai"
import { removeOapConfigAtom, writeOapConfigAtom } from "./atoms/configState"
-import { useEffect } from "react"
+import { useEffect, useRef, useState } from "react"
import { handleGlobalHotkey } from "./atoms/hotkeyState"
import { handleWindowResizeAtom } from "./atoms/sidebarState"
import { systemThemeAtom } from "./atoms/themeState"
Source: GitHub Commit
The patch also adds user-facing confirmation messaging:
"retry": "Retry",
"stop": "Stop",
"tip": "If an error occurs during download, please close this window first and restart the application to re-download."
+ },
+ "deeplink": {
+ "mcpInstallConfirm": "Add stdio MCP Service - You will add MCP via the following command, please confirm:"
}
}
Source: GitHub Commit
Detection Methods for CVE-2025-58176
Indicators of Compromise
- Unexpected process spawns originating from the Dive application
- Network connections from Dive to unknown or suspicious external hosts
- Browser history or logs showing redirects to dive: protocol URLs with suspicious JSON payloads
- Unusual command executions with transport parameters containing shell metacharacters or encoded commands
Detection Strategies
- Monitor for process creation events where Dive is the parent process launching unexpected child processes
- Implement URL filtering to detect and block malicious dive: protocol links containing suspicious JSON structures
- Deploy endpoint detection rules to identify code injection patterns through custom URL handlers
- Review browser extension and security software logs for blocked deep link redirects
Monitoring Recommendations
- Enable verbose logging for the Dive application to capture all deep link processing events
- Configure SIEM rules to alert on anomalous process chains involving the Dive executable
- Monitor for outbound connections initiated immediately after Dive application launch
- Track file system modifications in user directories following deep link invocations
How to Mitigate CVE-2025-58176
Immediate Actions Required
- Upgrade Dive to version 0.9.4 or later immediately
- Audit recent activity on systems running vulnerable versions (0.9.0 through 0.9.3)
- Review browser history for any suspicious dive: protocol link invocations
- Consider temporarily unregistering the dive: URL handler until the patch can be applied
Patch Information
The vulnerability has been addressed in Dive version 0.9.4. The fix implements a confirmation popup that displays the exact command being requested before execution, requiring explicit user approval for stdio MCP server installations via deep links. Users should update immediately by downloading the latest release from the official repository.
For detailed information about the security fix, refer to the GitHub Security Advisory GHSA-2r34-7pgx-vvrc and review the commit changes.
Workarounds
- Unregister the dive: custom URL handler at the operating system level until the application can be updated
- Configure browser security settings to prompt before opening external protocol handlers
- Implement network-level filtering to block access to known malicious domains distributing exploit links
- Educate users about the risks of clicking unknown deep links, especially those from untrusted sources
# Configuration example
# On macOS, you can inspect registered URL handlers:
defaults read ~/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure
# On Windows, check registry for dive: protocol handler:
reg query HKEY_CLASSES_ROOT\dive
# Consider temporarily removing the handler until patched:
# (Backup your settings before making registry changes)
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
