CVE-2025-58176 is a critical remote code execution (RCE) vulnerability affecting the Dive application, an open-source MCP Host Desktop Application developed by OpenAgentPlatform that integrates with function-calling large language models (LLMs). The vulnerability exists in versions 0.9.0 through 0.9.3 and stems from improper handling of a custom URL scheme (dive:) used by the application. Specifically, the vulnerability is triggered via a crafted JSON object containing a malicious 'transport' parameter within the custom URL. When a user either visits a malicious website that automatically redirects to such a crafted dive: URL or clicks a maliciously crafted link embedded in legitimate content, the browser invokes Dive's custom URL handler. This handler processes the URL without adequate validation or sanitization, leading to arbitrary code execution on the victim’s machine. The root cause is categorized under CWE-94, indicating improper control over code generation, which allows an attacker to inject and execute arbitrary code remotely. The vulnerability requires no prior authentication but does require user interaction in the form of visiting or clicking a malicious link. The CVSS v3.1 base score is 8.8 (high severity), reflecting the network attack vector, low attack complexity, no privileges required, but user interaction needed, and high impact on confidentiality, integrity, and availability. The vulnerability has been fixed in Dive version 0.9.4. No known exploits have been reported in the wild as of the publication date (September 3, 2025).

For European organizations, this vulnerability poses a significant risk due to the potential for remote code execution on endpoints running vulnerable versions of Dive. Successful exploitation could lead to full system compromise, allowing attackers to steal sensitive data, manipulate or destroy information, and disrupt operations. Given Dive’s role in integrating with function-calling LLMs, attackers might also leverage this access to manipulate AI-driven workflows or exfiltrate intellectual property. The attack vector via web browsers increases the likelihood of exploitation through phishing campaigns or malicious websites, which are common attack methods in Europe. Organizations relying on Dive for AI integration in sectors such as finance, healthcare, or critical infrastructure could face severe operational and reputational damage. Additionally, the high confidentiality impact could lead to violations of GDPR and other data protection regulations, resulting in legal and financial penalties.

European organizations should immediately verify if Dive is deployed within their environment and identify the version in use. Upgrading to Dive version 0.9.4 or later is the primary and most effective mitigation. Until the upgrade is applied, organizations should implement strict URL filtering and web content filtering to block dive: custom URL schemes from untrusted sources. Endpoint protection solutions should be configured to detect and block suspicious process launches initiated via custom URL handlers. User awareness training should emphasize the risks of clicking unknown or suspicious links, especially those that might invoke custom protocols. Network-level controls can be employed to restrict outbound connections from Dive processes to only trusted destinations. Additionally, organizations should monitor logs for unusual Dive application activity or unexpected process executions. If possible, disabling the custom URL handler for Dive temporarily can reduce exposure. Finally, coordinate with software vendors and security teams to ensure timely patch management and incident response readiness.