CVE-2025-58176 (CNNVD-202509-405)
中文标题:
Dive 安全漏洞
英文标题:
Dive's improper processing of custom urls can lead to Remote Code Execution
漏洞描述
中文描述:
Dive是OpenAgentPlatform开源的一个MCP主机桌面应用程序。 Dive 0.9.3及之前版本存在安全漏洞,该漏洞源于自定义URL处理不当,可能导致远程代码执行。
英文描述:
Dive is an open-source MCP Host Desktop Application that enables integration with function-calling LLMs. In versions 0.9.0 through 0.9.3, there is a one-click Remote Code Execution vulnerability triggered through a custom url value, `transport` in the JSON object. An attacker can exploit the vulnerability in the following two scenarios: a victim visits a malicious website controlled by the attacker and the website redirect to the URL automatically, or a victim clicks on such a crafted link embedded on a legitimate website (e.g., in user-generated content). In both cases, the browser invokes Dive's custom URL handler (dive:), which launches the Dive app and processes the crafted URL, leading to arbitrary code execution on the victim’s machine. This vulnerability is caused by improper processing of custom url. This is fixed in version 0.9.4.
CWE类型:
标签:
受影响产品
| 厂商 | 产品 | 版本 | 版本范围 | 平台 | CPE |
|---|---|---|---|---|---|
| OpenAgentPlatform | Dive | >= 0.9.0, < 0.9.4 | - | - |
cpe:2.3:a:openagentplatform:dive:>=_0.9.0,_<_0.9.4:*:*:*:*:*:*:*
|
| openagentplatform | dive | * | - | - |
cpe:2.3:a:openagentplatform:dive:*:*:*:*:*:*:*:*
|
解决方案
中文解决方案:
英文解决方案:
临时解决方案:
CVSS评分详情
3.1 (cna)
HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
时间信息
利用信息
数据源详情
| 数据源 | 记录ID | 版本 | 提取时间 |
|---|---|---|---|
| CVE | cve_CVE-2025-58176 |
2025-11-11 15:23:30 | 2025-11-11 07:40:45 |
| NVD | nvd_CVE-2025-58176 |
2025-11-11 15:01:01 | 2025-11-11 07:48:32 |
| CNNVD | cnnvd_CNNVD-202509-405 |
2025-11-11 15:12:55 | 2025-11-11 08:00:14 |
版本与语言
安全公告
变更历史
查看详细变更
- vulnerability_type: 未提取 -> 其他
- cnnvd_id: 未提取 -> CNNVD-202509-405
- data_sources: ['cve', 'nvd'] -> ['cnnvd', 'cve', 'nvd']
查看详细变更
- affected_products_count: 1 -> 2
- data_sources: ['cve'] -> ['cve', 'nvd']