CVE-2025-58176 is a critical remote code execution (RCE) vulnerability affecting versions 0.9.0 through 0.9.3 of Dive, an open-source MCP Host Desktop Application developed by OpenAgentPlatform. Dive integrates with function-calling large language models (LLMs) and registers a custom URL scheme handler (dive:) on the victim’s machine. The vulnerability arises from improper validation and processing of the 'transport' parameter within a JSON object embedded in the custom URL. When a user either visits a malicious website that automatically redirects to a crafted dive: URL or clicks on a maliciously crafted link embedded in legitimate content, the browser invokes Dive’s custom URL handler. This causes Dive to parse and execute the supplied data without adequate sanitization, leading to arbitrary code execution on the victim’s system. The vulnerability is classified under CWE-94 (Improper Control of Generation of Code), indicating that untrusted input is directly used to generate and execute code. The CVSS v3.1 base score is 8.8 (high severity), with attack vector being network (AV:N), no privileges required (PR:N), user interaction required (UI:R), and full impact on confidentiality, integrity, and availability (C:H/I:H/A:H). Although no known exploits are currently reported in the wild, the ease of exploitation via a single click or automatic redirect makes this a significant threat. The issue is resolved in Dive version 0.9.4, which properly sanitizes and validates the custom URL input before processing.

For European organizations, this vulnerability poses a substantial risk, especially for those using Dive as part of their LLM integration workflows or desktop automation. Successful exploitation can lead to full system compromise, allowing attackers to execute arbitrary commands, steal sensitive data, manipulate or destroy files, and potentially move laterally within corporate networks. Given the high confidentiality, integrity, and availability impacts, critical business operations could be disrupted. The attack vector involving user interaction or automatic redirects makes phishing campaigns or malicious web content effective delivery methods. Organizations in sectors with high reliance on AI/LLM tools or desktop integrations—such as technology firms, research institutions, and financial services—are particularly vulnerable. Additionally, since Dive is open-source and may be integrated into customized environments, unpatched instances might be widespread, increasing the attack surface. The lack of known exploits in the wild currently provides a window for proactive patching and mitigation before widespread exploitation occurs.

1. Immediate upgrade to Dive version 0.9.4 or later, which contains the fix for this vulnerability. 2. Implement strict URL filtering and validation at the network perimeter to block or flag dive: custom URL schemes originating from untrusted or external sources. 3. Educate users about the risks of clicking on unknown or suspicious links, especially those that may trigger application launches via custom URL handlers. 4. Employ endpoint protection solutions capable of detecting anomalous process launches or suspicious command executions initiated by Dive or related processes. 5. For organizations deploying Dive in managed environments, consider disabling or restricting the registration of custom URL handlers unless absolutely necessary. 6. Monitor logs and network traffic for unusual activity related to Dive or unexpected invocations of the custom URL scheme. 7. Conduct internal audits to identify all instances of Dive deployment and ensure timely patching. 8. Use application whitelisting to prevent unauthorized execution of code spawned by Dive.