CVE-2025-14204

medium

Published 2025-12-07 · Modified 2026-04-29

CVSS v3

6.3

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CVSS v2

6.5

VIR risk

6.3

Description

A vulnerability has been found in TykoDev cherry-studio-TykoFork 0.1. This issue affects the function redirectToAuthorization of the file /.well-known/oauth-authorization-server of the component OAuth Server Discovery. Such manipulation of the argument authorizationUrl leads to os command injection. The attack can be executed remotely. The exploit has been disclosed to the public and may be used.

Predictions

Exploit likelihood

73%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No vendor mitigations ingested yet for this CVE. The mitigation-content worker queues fetches as references arrive — check back in a few minutes, or see the references list below.

References

https://lavender-bicycle-a5a.notion.site/TokyoTech-RCE-26153a41781f80b6a370d427a6d307f0
https://vuldb.com/?ctiid.334647
https://vuldb.com/?id.334647
https://vuldb.com/?submit.700182

CWEs

CWE-77 CWE-78

Verify integrity in audit chain (admin only). AS-IS.