CVE-2025-58176

Name of the Vulnerable Software and Affected Versions Dive versions 0.9.0 through 0.9.3

Description Dive is an open-source MCP Host Desktop Application that enables integration with function-calling LLMs. Versions 0.9.0 through 0.9.3 contain a Remote Code Execution (RCE) vulnerability triggered by a crafted URL value, transport, within a JSON object. An attacker can exploit this issue by redirecting a victim to a malicious website or embedding a crafted link in legitimate content. When a victim interacts with the crafted link, the browser invokes Dive’s custom URL handler (dive:), launching the application and executing arbitrary code on the victim’s machine due to improper processing of the custom URL.

Recommendations Update to version 0.9.4 or later.