CVE-2025-14204 MEDIUM

CVE-2025-14204: TykoDev cherry-studio-TykoFork OAuth Server Discovery oauth-authorization-server redirectToAuthorization os command injection

Vendor Tykodev
Product cherry-studio-TykoFork
Weakness CWE-78
Published December 7, 2025
Last update December 8, 2025

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

What the vulnerability does

01Description

A vulnerability has been found in TykoDev cherry-studio-TykoFork 0.1. This issue affects the function redirectToAuthorization of the file /.well-known/oauth-authorization-server of the component OAuth Server Discovery. Such manipulation of the argument authorizationUrl leads to os command injection. The attack can be executed remotely. The exploit has been disclosed to the public and may be used.

Key dates

02Disclosure timeline

December 7, 2025 CVE published
December 8, 2025 Record updated