CVE-2025-61929 is a critical vulnerability classified under CWE-94 (Improper Control of Generation of Code) affecting CherryHQ's cherry-studio desktop client, specifically versions up to 1.7.0-alpha.4. Cherry Studio supports multiple large language model (LLM) providers and registers a custom URL protocol handler, cherrystudio://, to facilitate certain operations such as MCP installation. The vulnerability arises in the handling of MCP installation URLs, where the application parses base64-encoded configuration data embedded in the URL and directly executes commands contained within this data without adequate validation or sanitization. The vulnerable code resides in the files src/main/services/ProtocolClient.ts and src/main/services/urlschema/mcp-install.ts, particularly within the handleMcpProtocolUrl function. An attacker can exploit this by crafting a malicious cherrystudio://mcp URL containing harmful commands encoded in base64 and embedding this URL in a website or other content. When a user clicks this link, the application processes and executes the embedded commands, leading to arbitrary code execution on the victim's machine. The attack vector requires user interaction (clicking the malicious link) but no prior authentication, and the scope of impact is broad due to the ability to execute arbitrary commands. The CVSS v3.1 score is 9.7 (critical), reflecting the high impact on confidentiality, integrity, and availability, combined with ease of exploitation over the network with low attack complexity. No patches or mitigations have been published at the time of disclosure, increasing the urgency for defensive measures. Although no known exploits are currently observed in the wild, the vulnerability's nature and severity make it a high-risk threat, especially for environments where cherry-studio is used to manage or interact with LLM providers.

For European organizations, the impact of CVE-2025-61929 can be severe. Successful exploitation allows attackers to execute arbitrary commands on affected endpoints, potentially leading to full system compromise. This can result in data theft, unauthorized access to sensitive information, disruption of services, and lateral movement within networks. Organizations relying on cherry-studio for managing LLM integrations or workflows may face operational disruptions and intellectual property exposure. The vulnerability's exploitation requires user interaction but no authentication, making phishing or social engineering campaigns a likely attack vector. Given the critical CVSS score and the ability to compromise confidentiality, integrity, and availability, affected organizations could suffer significant financial, reputational, and regulatory consequences, especially under strict European data protection laws such as GDPR. Additionally, the lack of a patch increases the window of exposure, necessitating immediate risk mitigation. The threat is particularly relevant for sectors with high reliance on AI/LLM technologies, including research institutions, technology companies, and enterprises integrating AI-driven solutions.

Until an official patch is released, European organizations should implement specific mitigations to reduce risk: 1) Disable or unregister the cherrystudio:// custom protocol handler on all endpoints where cherry-studio is installed to prevent automatic processing of malicious URLs. 2) Educate users about the risks of clicking unknown or suspicious links, especially those using custom protocols, and implement strict email and web filtering to block or flag such URLs. 3) Employ endpoint detection and response (EDR) solutions to monitor for unusual command execution patterns indicative of exploitation attempts. 4) Restrict user permissions on affected systems to limit the impact of potential code execution. 5) Use application whitelisting to prevent unauthorized execution of commands or scripts spawned by cherry-studio. 6) Monitor network traffic for attempts to access or invoke the cherrystudio:// protocol. 7) Engage with CherryHQ for updates and prioritize patch deployment once available. 8) Consider isolating or sandboxing systems running cherry-studio to contain potential compromises. These targeted actions go beyond generic advice by focusing on the unique attack vector and application behavior.