CVE-2025-14204 identifies an OS command injection vulnerability in the TykoDev cherry-studio-TykoFork software, version 0.1. The flaw resides in the redirectToAuthorization function of the OAuth Server Discovery component, specifically within the /.well-known/oauth-authorization-server endpoint. This function improperly handles the authorizationUrl parameter, allowing an attacker to inject and execute arbitrary operating system commands remotely. The vulnerability does not require authentication or user interaction, making it accessible to unauthenticated remote attackers. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P) indicates network attack vector, low attack complexity, no privileges required, no user interaction, and partial impacts on confidentiality, integrity, and availability. Although the CVSS score is moderate (5.3), the ability to execute OS commands can lead to significant system compromise, including data manipulation or denial of service. The vulnerability affects only version 0.1 of cherry-studio-TykoFork, and no official patches have been published yet. The exploit has been publicly disclosed, increasing the risk of exploitation. The absence of known exploits in the wild suggests limited current active attacks but warrants proactive mitigation. The vulnerability's presence in an OAuth server discovery component is critical because OAuth is widely used for authentication and authorization, and compromise here could cascade to broader access control failures.

For European organizations, exploitation of this vulnerability could lead to unauthorized command execution on servers running the affected TykoDev cherry-studio-TykoFork 0.1 software. This could compromise the confidentiality, integrity, and availability of authentication services, potentially allowing attackers to manipulate OAuth flows, escalate privileges, or disrupt service availability. Organizations relying on this OAuth server for identity management or API authorization could face service outages, data breaches, or lateral movement within their networks. Given the critical role of OAuth in securing access to cloud services, internal applications, and APIs, this vulnerability could undermine trust in authentication mechanisms and expose sensitive user data. The medium severity score suggests a moderate but tangible risk, especially if the affected software is deployed in production environments without mitigations. European sectors with high reliance on OAuth for digital identity, such as finance, healthcare, and government, could experience significant operational and reputational impacts if exploited.

1. Immediately audit all instances of TykoDev cherry-studio-TykoFork 0.1 deployments within your environment, focusing on OAuth server discovery endpoints. 2. Implement strict input validation and sanitization on the authorizationUrl parameter to prevent injection of OS commands. 3. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious command injection patterns targeting the /.well-known/oauth-authorization-server endpoint. 4. Restrict network access to OAuth server endpoints to trusted IP ranges and enforce strong authentication where possible. 5. Monitor logs for unusual command execution attempts or anomalies in OAuth authorization requests. 6. Coordinate with TykoDev for official patches or updates and prioritize applying them once released. 7. Consider isolating or containerizing the OAuth server component to limit the blast radius of potential exploitation. 8. Conduct penetration testing focusing on command injection vectors in OAuth-related components. 9. Educate development and security teams about secure coding practices to prevent injection vulnerabilities in future releases. 10. Maintain an incident response plan to quickly contain and remediate any exploitation attempts.