CNNVD-202508-1375 Information

CNNVD ID

CNNVD-202508-1375

Related CVE

CVE-2025-54074

• CNNVD Published: 2025-08-13

Description (Chinese)

Cherry Studio是中国千彗（Cherry Studio）公司的一个多模型AI助手。 Cherry Studio 1.2.5至1.5.1版本存在操作系统命令注入漏洞，该漏洞源于连接恶意MCP服务器时存在OS命令注入。

Description (English)

Cherry Studio is a multi-model AI assistant at Cherry Studio in China. There is a loophole in operating system commands from Cherry Studio 1.2.5 to 1.5.1, which arises from the presence of an OS injection when connecting to the malicious MCP server.

Hazard Level

High

Vulnerability Type

操作系统命令注入

Affected Vendor

千彗

Published

2025-08-13

Last Modified

2026-02-24

References

https://github.com/CherryHQ/cherry-studio/commit/40f9601379150854826ff3572ef7372fb0acdc38 https://github.com/CherryHQ/cherry-studio/security/advisories/GHSA-8xr5-732g-84px

Patch

https://github.com/CherryHQ/cherry-studio/releases