CVE-2025-55204

Sažetak

muffon is a cross-platform music streaming client for desktop. Versions prior to 2.3.0 have a one-click Remote Code Execution (RCE) vulnerability in. An attacker can exploit this issue by embedding a specially crafted `muffon://` link on any website they control. When a victim visits the site or clicks the link, the browser triggers Muffon’s custom URL handler, causing the application to launch and process the URL. This leads to RCE on the victim's machine without further interaction. Version 2.3.0 patches the issue.

Reference

https://drive.google.com/file/d/1eCPCQ6leuVM_vecfofFv04c0t9isCBqR/view?usp=sharing
https://github.com/staniel359/muffon/releases/tag/v2.3.0
https://github.com/staniel359/muffon/security/advisories/GHSA-gc3f-gqph-522q

CVSS

Base:	8.8
Impact:	5.9
Exploitability:	2.8

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
HIGH	HIGH	HIGH

CVSS vektor

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Zadnje važnije ažuriranje

08-01-2026 - 18:09

Objavljeno

05-01-2026 - 18:15