CVE-2025-61929 Overview
CVE-2025-61929 is a critical code injection vulnerability in Cherry Studio, a desktop client that supports multiple LLM providers. The vulnerability exists in the custom protocol handler cherrystudio:// which improperly handles MCP installation URLs. When processing URLs of the cherrystudio://mcp type, the application parses base64-encoded configuration data and directly executes commands contained within it, enabling remote attackers to execute arbitrary commands on the victim's system.
Critical Impact
Remote attackers can achieve arbitrary command execution on victim systems by crafting malicious cherrystudio://mcp URLs. A single click on a malicious link or button triggers command execution with no additional user interaction required beyond the initial click.
Affected Products
- Cherry-ai Cherry Studio (all versions as of publication)
Discovery Timeline
- 2025-10-10 - CVE CVE-2025-61929 published to NVD
- 2025-12-04 - Last updated in NVD database
Technical Details for CVE-2025-61929
Vulnerability Analysis
This vulnerability represents a severe code injection flaw (CWE-94) in Cherry Studio's custom protocol implementation. The application registers a URL scheme handler for cherrystudio:// protocols, which is intended to simplify MCP (Model Context Protocol) installation workflows. However, the implementation fails to properly validate or sanitize the command data embedded within these URLs before execution.
The attack requires network access and user interaction in the form of clicking a malicious link. While user interaction is required, the pop-up window displayed to users contains seemingly normal content, making it difficult for users to distinguish malicious requests from legitimate ones. The scope is changed, meaning the vulnerability can affect resources beyond the vulnerable component's security scope, potentially compromising the entire host system.
Root Cause
The root cause lies in the improper handling of user-controlled input in the URL protocol handler. Specifically, within src/main/services/ProtocolClient.ts and src/main/services/urlschema/mcp-install.ts, the handleMcpProtocolUrl function processes incoming cherrystudio://mcp URLs by extracting and decoding base64-encoded configuration data. This decoded data contains commands that are directly executed without proper validation, sanitization, or sandboxing.
The fundamental security flaw is the trust placed in externally-provided URL data. The application treats the base64-encoded content as trusted input and executes embedded commands, violating the principle of least privilege and failing to implement proper input validation.
Attack Vector
The attack exploits the custom protocol registration that allows web browsers and other applications to invoke Cherry Studio via cherrystudio:// URLs. An attacker crafts a malicious URL containing base64-encoded command payloads and distributes it through various channels such as:
- Malicious websites with deceptive buttons or links
- Phishing emails containing the crafted URL
- Social engineering through messaging platforms
- Injected content on compromised legitimate websites
When a user clicks the malicious link, their browser invokes Cherry Studio's protocol handler. The application presents a pop-up that appears to contain normal installation content, masking the malicious nature of the request. Upon user confirmation (which appears to be a routine action), the embedded commands execute with the privileges of the Cherry Studio application, potentially leading to full system compromise.
The vulnerability is particularly dangerous because it leverages the trust users place in the application's native functionality, making social engineering attacks highly effective.
Detection Methods for CVE-2025-61929
Indicators of Compromise
- Unexpected process spawning from Cherry Studio application processes
- Suspicious command-line arguments in processes launched by Cherry Studio
- Network connections to unknown destinations initiated after Cherry Studio protocol handler invocation
- Unusual file system modifications following interaction with cherrystudio:// URLs
Detection Strategies
- Monitor process creation events where Cherry Studio is the parent process, looking for shell interpreters or unusual child processes
- Implement URL logging to capture and analyze cherrystudio://mcp protocol invocations
- Deploy application-level monitoring to detect base64-encoded payloads in protocol handler arguments
- Correlate browser navigation events with Cherry Studio process activity for anomaly detection
Monitoring Recommendations
- Enable detailed logging for custom protocol handler invocations within the application
- Implement endpoint detection rules to alert on command execution patterns originating from Electron-based applications
- Monitor for registry modifications related to custom URL protocol handlers
- Review network traffic following Cherry Studio launch for suspicious outbound connections
How to Mitigate CVE-2025-61929
Immediate Actions Required
- Consider disabling or uninstalling Cherry Studio until a patched version is available
- Remove or disable the cherrystudio:// URL protocol handler registration from the system
- Educate users about the risks of clicking unknown links that invoke desktop applications
- Implement network-level blocking for known malicious URLs targeting this vulnerability
- Deploy endpoint protection solutions capable of detecting command injection patterns
Patch Information
As of the publication date, no known patched versions exist for this vulnerability. Organizations should monitor the GitHub Security Advisory for updates on available patches. Until a fix is released, implementing the workarounds below is strongly recommended.
Workarounds
- Unregister the cherrystudio:// protocol handler from the operating system to prevent exploitation
- Use browser extensions or security tools to block custom protocol invocations
- Restrict Cherry Studio network access using host-based firewalls
- Deploy application allowlisting to control which applications can be invoked via URL protocols
- Consider running Cherry Studio in a sandboxed environment if continued use is necessary
# Windows: Remove protocol handler registration (run as Administrator)
reg delete "HKEY_CLASSES_ROOT\cherrystudio" /f
# macOS: Modify Info.plist to remove URL scheme (requires app modification)
# Navigate to Cherry Studio.app/Contents/Info.plist and remove CFBundleURLTypes entry
# Linux: Remove .desktop file URL handler or modify MimeType entries
# Location varies by distribution, typically in ~/.local/share/applications/
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
