CVE-2025-54382 CRITICAL

CVE-2025-54382: Cherry Studio RCE Vulnerability Disclosure

Vendor Cherryhq

Product cherry-studio

Weakness CWE-78

Published August 13, 2025

Last update August 13, 2025

View on NVD All CVEs

CVSS base score

9.7/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction Required

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

Cherry Studio is a desktop client that supports for multiple LLM providers. In version 1.5.1, a remote code execution (RCE) vulnerability exists in the Cherry Studio platform when connecting to streamableHttp MCP servers. The issue arises from the server’s implicit trust in the oauth auth redirection endpoints and failure to properly sanitize the URL. This issue has been patched in version 1.5.2.

Key dates

02Disclosure timeline

August 13, 2025 CVE published

August 13, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-54382

Related vulnerabilities

CVE-2025-54382: Cherry Studio RCE Vulnerability Disclosure

01Description

02Disclosure timeline

03References

04Related CVE