216.73.217.80

CVE-2025-58176

· Published 03/09/2025 04:16 · Modified 03/09/2025 04:16

Labels: CVE-2025-58176 2025-09-03CVE-2025-58176CWE-94[email protected]

Essential information

Published
03/09/2025 04:16
Modified
03/09/2025 04:16
Author
Creator
CVSS
8.8 HIGH (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS metrics

Description

Dive is an open-source MCP Host Desktop Application that enables integration with function-calling LLMs. In versions 0.9.0 through 0.9.3, there is a one-click Remote Code Execution vulnerability triggered through a custom url value, `transport` in the JSON object. An attacker can exploit the vulnerability in the following two scenarios: a victim visits a malicious website controlled by the attacker and the website redirect to the URL automatically, or a victim clicks on such a crafted link embedded on a legitimate website (e.g., in user-generated content). In both cases, the browser invokes Dive's custom URL handler (dive:), which launches the Dive app and processes the crafted URL, leading to arbitrary code execution on the victim’s machine. This vulnerability is caused by improper processing of custom url. This is fixed in version 0.9.4.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
dive / dive cpe:2.3:a:dive:dive:0.9.0-0.9.3:*:*:*:*:*:*:*
dive / dive cpe:2.3:a:dive:dive:0.9.4:*:*:*:*:*:*:*

References