Remote Code Execution Vulnerability in Cherry Studio Desktop Client
CVE-2025-54063

8HIGH

Key Information:

Vendor: Cherryhq
Status: Cherry-studio
Vendor: CVE Published:; 11 August 2025

What is CVE-2025-54063?

The Cherry Studio desktop client, supporting multiple LLM providers, has a vulnerability that allows for remote code execution via custom URL handling in versions 1.4.8 to 1.5.0. This security flaw can be exploited when a user clicks on a malicious link that triggers the app’s URL handler. Consequently, this leads to unauthorized execution of code on the user's machine, exposing it to potential threats. The issue has been addressed in version 1.5.1.

Affected Version(s)

cherry-studio >= 1.4.8, < 1.5.1

References

https://github.com/CherryHQ/cherry-studio/security/adviso...

x_refsource_CONFIRM

https://github.com/CherryHQ/cherry-studio/pull/8218

x_refsource_MISC

https://github.com/CherryHQ/cherry-studio/commit/ff72c007...

x_refsource_MISC

CVSS V3.1

Score:

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 11, 2025
Vulnerability Reserved
Jul 16, 2025

Cherryhq

What is CVE-2025-54063?

Affected Version(s)

References

CVSS V3.1

Timeline