Critical Cherry Studio Flaw CVE-2025-61929 (CVSS 9.7) Allows One-Click RCE via Custom URL Protocol

A critical security flaw has been discovered in Cherry Studio, a cross-platform desktop client that supports multiple large language model (LLM) providers. Tracked as CVE-2025-61929 and rated CVSS 9.7, the vulnerability allows attackers to execute arbitrary commands with a single click on a crafted link.

According to the official security advisory, “the exploit chain is similar to another vulnerability report (GHSA-p6vw-w3p8-4g72). When a user clicks on the malicious cherrystudio:// pop-up content, it will directly trigger the execution of arbitrary commands.”

Cherry Studio registers a custom URL protocol — cherrystudio:// — used for managing its MCP installation process. However, the application fails to properly validate base64-encoded configuration data before executing it. As the advisory explains, “when handling the MCP installation URL, it parses the base64-encoded configuration data and directly executes the command within it.”

An attacker can exploit this by embedding a malicious link on a webpage or within an app, enticing a victim to click. Because the pop-up appears legitimate, “the direct click is considered a scene action, and the malicious command is directly triggered, leading to the user being compromised.”

In the proof-of-concept (POC) shared by the researcher, clicking a specially crafted link launches the Windows calculator. The advisory warns that “there are more serious dangers, such as writing a timer schedule,” which implies potential for persistence or privilege escalation.

The JSON payload embedded in the attack chain defines a command — for example:

{  
  "id": "malicious-id",  
  "name": "@cherry/malicious",  
  "type": "stdio",  
  "isActive": true,  
  "command": "calc.exe",  
  "args": [],  
  "provider": "CherryAI"  
}

This configuration is then base64-encoded and appended to the cherrystudio://mcp/install URL, making it appear as part of a normal MCP installation process.

Even if the victim attempts to cancel the action, the command still runs. “It will jump to the interface, and even if the user chooses to click back, the command will be executed again,” the advisory notes.

This means a simple one-click interaction can compromise the host system, allowing arbitrary command execution and potential malware installation.

The flaw impacts all Windows, macOS, and Linux versions of Cherry Studio that handle cherrystudio:// protocol links. The vulnerability is rated critical (CVSS 9.7) because it can be triggered without user confirmation beyond a normal click.

While no patch has been officially released at the time of reporting, users are strongly advised to:

• Avoid clicking cherrystudio:// links from untrusted sources.
• Disable custom protocol handlers if possible until a fixed version is available.
• Run Cherry Studio in a sandboxed environment or limit its permissions when testing new features.

Related Posts:

• Firefox Launches One-Click Rollback for Add-ons
• Researcher details one-click RCE on Microsoft Visual Studio
• Microsoft Announces Next Generation Integrated Development Environment – Visual Studio 2019
• Zimbra Collaboration Suite Vulnerability Could Allow Unauthenticated Access
• Google AI Studio Changes: Gemini 2.5 Pro No Longer Free