CVE-2025-54074 — CRITICAL (9.8)

Q: How severe is CVE-2025-54074?

CVE-2025-54074 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2025-54074?

Check the references section above for vendor advisories and patch information. Affected products include: Cherry-Ai Cherry Studio.

Vulnerability Description

Cherry Studio is a desktop client that supports for multiple LLM providers. From versions 1.2.5 to 1.5.1, Cherry Studio is vulnerable to OS Command Injection during a connection with a malicious MCP server in HTTP Streamable mode. Attackers can setup a malicious MCP server with compatible OAuth authorization server endpoints and trick victims into connecting it, leading to OS command injection in vulnerable clients. This issue has been patched in version 1.5.2.

CVSS Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Cherry-Ai	Cherry Studio	>= 1.2.5, < 1.5.2

Related Weaknesses (CWE)

CWE-78

References

FAQ

What is CVE-2025-54074?

CVE-2025-54074 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Cherry Studio is a desktop client that supports for multiple LLM providers. From versions 1.2.5 to 1.5.1, Cherry Studio is vulnerable to OS Command Injection during a connection with a malicious MCP s...

How severe is CVE-2025-54074?

CVE-2025-54074 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2025-54074?

Check the references section above for vendor advisories and patch information. Affected products include: Cherry-Ai Cherry Studio.