Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Cherry Studio RCE Vulnerability Disclosure
Vulnerability Description
Cherry Studio is a desktop client that supports for multiple LLM providers. In version 1.5.1, a remote code execution (RCE) vulnerability exists in the Cherry Studio platform when connecting to streamableHttp MCP servers. The issue arises from the server’s implicit trust in the oauth auth redirection endpoints and failure to properly sanitize the URL. This issue has been patched in version 1.5.2.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Vulnerability Type
OS命令中使用的特殊元素转义处理不恰当(OS命令注入)
Vulnerability Title
Cherry Studio 操作系统命令注入漏洞
Vulnerability Description
Cherry Studio是中国千彗(Cherry Studio)公司的一个多模型AI助手。 Cherry Studio 1.5.1版本存在操作系统命令注入漏洞,该漏洞源于streamableHttp MCP服务器连接时未正确清理URL,可能导致远程代码执行。
CVSS Information
N/A
Vulnerability Type
N/A