CVE-2025-54382

Name of the Vulnerable Software and Affected Versions Cherry Studio versions prior to 1.5.2

Description Cherry Studio is a desktop client that supports multiple LLM providers. A remote code execution (RCE) issue exists in the Cherry Studio platform when connecting to streamableHttp MCP servers. The problem stems from the server’s implicit trust in the oauth auth redirection endpoints and failure to properly sanitize the URL. The vulnerable component is the handling of OAuth authentication redirection endpoints.

Recommendations Update to Cherry Studio version 1.5.2 or later.