- CVE-2025-61929 (CVSS 9.7, critical): Cherry Studio’s custom URL scheme (
cherrystudio://) can be abused for **one-click remote code execution (RCE)** when victims open a crafted link. :contentReference[oaicite:0]{index=0} - The bug ties to handling of
cherrystudio://mcpinstallation URLs where base64 config is parsed and a command executed. :contentReference[oaicite:1]{index=1} - Action: update to the latest Cherry Studio release immediately and apply the hardening steps below. Prior related issues were fixed around v1.5.2, but always install the newest version available. :contentReference[oaicite:2]{index=2}
🔒 Partner Picks — Fortify Your AI/Desktop Pipelines
- Kaspersky Premium Security — endpoint & server defense for developer workstations.
- Alibaba Cloud Threat Detection — SIEM + telemetry for app/agent fleets.
- Edureka Cybersecurity Master Program — secure desktop & supply-chain defense.
Affiliate links may earn us a commission at no extra cost to you.
What happened
A critical flaw (CVE-2025-61929) in Cherry Studio — a cross-platform desktop client for multiple LLM providers — allows **one-click RCE** via its custom URL protocol cherrystudio://. When handling certain MCP installation links, Cherry Studio decodes embedded configuration and **executes a command**, enabling code execution after a single click on a malicious link. :contentReference[oaicite:3]{index=3}
Related earlier Cherry Studio issues (e.g., command injection when connecting to malicious MCP servers) were remediated around v1.5.2, underscoring an evolving attack surface for MCP-enabled clients. :contentReference[oaicite:4]{index=4}
Why this matters
- Single-click compromise: social engineering + a crafted link can compromise developer or analyst machines. :contentReference[oaicite:5]{index=5}
- Supply-chain ripple: compromised hosts may hold API keys, model credentials, or access to CI/CD and corp networks.
- AI agent ecosystem risk: multiple MCP-capable apps have seen similar issues in 2025; defenders should harden protocol handlers and agent connectivity. :contentReference[oaicite:6]{index=6}
Who is at risk
- Users who have Cherry Studio installed with the
cherrystudio://protocol registered. - Teams evaluating external MCP servers or importing third-party MCP configurations.
- Developers/analysts who may click links in chats, docs, or websites that trigger the custom protocol.
Defensive detection ideas (safe)
Use these non-exploitative checks to surface suspicious behavior:
- Process tree anomalies: Cherry Studio or its child processes spawning shells or unknown binaries shortly after browser clicks.
- URL handler telemetry: log invocations of
cherrystudio://handlers; alert oncherrystudio://mcpwith unexpected base64 payload sizes. :contentReference[oaicite:7]{index=7} - Network egress: new outbound connections from Cherry Studio to unrecognized MCP endpoints following link clicks.
- File drift: new scripts appearing in app data or temp paths post-click; compare to a clean baseline.
Mitigation & hardening checklist
- Update immediately: install the latest Cherry Studio version available from the vendor; prior Cherry issues were fixed around v1.5.2, but always move to the newest release and monitor for a dedicated fix for CVE-2025-61929. :contentReference[oaicite:8]{index=8}
- Disable protocol handler (temporary): unregister or block
cherrystudio://at OS level until patched; restrict browser ability to open it. - Zero-trust MCP: only connect to trusted MCP servers; validate configuration sources; block external MCP URLs by default.
- OS sandboxing: run Cherry Studio with least privilege; consider AppArmor/SELinux profiles and separate user accounts on Linux/macOS.
- Secrets hygiene: keep API keys out of user profiles; use scoped tokens and rotate credentials on affected hosts.
- SIEM rules: add detections for custom-protocol invocations spawning shells; alert on anomalous parent→child chains.
Incident Response (if you suspect exploitation)
- Isolate the host and snapshot the system/VM.
- Preserve evidence: browser history/events around the click, protocol handler logs, Cherry Studio logs, process trees, and filesystem diffs.
- Rotate tokens/keys used on the host (LLM providers, git, CI/CD, cloud CLI).
- Clean rebuild from a known-good image if integrity is uncertain; redeploy with patched Cherry Studio.
🧰 CyberDudeBivash Response & Tools
Need help hardening MCP-capable clients or investigating a suspected hit?
- Threat Analyser — IOC correlation & process tree analytics.
- SessionShield — session integrity protection for desktop portals.
- Emergency IR consult
📢 Subscribe — CyberDudeBivash ThreatWire
Weekly breach analysis, patch advisories, and defensive playbooks.
Subscribe NowRecommended by CyberDudeBivash
References
- NVD entry for CVE-2025-61929 (custom protocol → one-click code execution). :contentReference[oaicite:9]{index=9}
- Tenable summary mirroring NVD technical description. :contentReference[oaicite:10]{index=10}
- Coverage: SecurityOnline.Info’s explainer of the one-click RCE via malicious links. :contentReference[oaicite:11]{index=11}
- Prior related Cherry Studio command-injection issues and fixed versions (~v1.5.2). :contentReference[oaicite:12]{index=12}
- Broader MCP-client risk context (researchers highlighting multiple AI-agent client vulns in 2025). :contentReference[oaicite:13]{index=13}
Closing note
Treat custom URL handlers as high-risk entry points. Patch Cherry Studio to the newest version, disable the cherrystudio:// handler until updates are deployed, and enforce zero-trust for MCP sources. For a quick tabletop on desktop-client protocol attacks or help validating your environment:
https://www.cyberdudebivash.com/contact
Hashtags:
#CyberDudeBivash #CherryStudio #CVE202561929 #RCE #OneClickExploit #MCP #DesktopSecurity #ThreatHunting #IncidentResponse