OS Command Injection Vulnerability in SkyworkAI DeepResearchAgent
CVE-2025-8667

5.3MEDIUM

Key Information:

Vendor: Skyworkai
Status: Deepresearchagent
Vendor: CVE Published:; 6 August 2025

What is CVE-2025-8667?

A security flaw exists in the SkyworkAI DeepResearchAgent affecting its tools.py file, specifically in the from_code/from_dict/from_mcp functions. This vulnerability allows an attacker to execute arbitrary operating system commands remotely, posing a significant risk to systems using this software. Given the continuous delivery model employed by SkyworkAI, identifying the specific versions affected can be challenging, as there are no clear version details on affected or patched releases. Early attempts to contact the vendor regarding this vulnerability went unanswered, raising concerns over the responsiveness to security issues.

Affected Version(s)

DeepResearchAgent 08eb7f8eb9505d0094d75bb97ff7dacc3fa3bbf2

References

https://vuldb.com/?id.319026

vdb-entrytechnical-description

https://vuldb.com/?ctiid.319026

signaturepermissions-required

https://vuldb.com/?submit.621324

third-party-advisory

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 6, 2025
Vulnerability Reserved
Aug 6, 2025

Credit

bayuncao (VulDB User)