CVE-2025-55204

Опубликовано: 05 янв. 2026

Источник: nvd

CVSS3: 8.8

CVSS3: 9.6

EPSS Низкий

Описание

muffon is a cross-platform music streaming client for desktop. Versions prior to 2.3.0 have a one-click Remote Code Execution (RCE) vulnerability in. An attacker can exploit this issue by embedding a specially crafted muffon:// link on any website they control. When a victim visits the site or clicks the link, the browser triggers Muffon’s custom URL handler, causing the application to launch and process the URL. This leads to RCE on the victim's machine without further interaction. Version 2.3.0 patches the issue.

Ссылки

https://drive.google.com/file/d/1eCPCQ6leuVM_vecfofFv04c0t9isCBqR/view?usp=sharing
Exploit
https://github.com/staniel359/muffon/releases/tag/v2.3.0
Product
Release Notes
https://github.com/staniel359/muffon/security/advisories/GHSA-gc3f-gqph-522q
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:muffon:muffon:*:*:*:*:*:node.js:*:*

Версия до 2.3.0 (исключая)

EPSS

Процентиль: 45%

0.00226

Низкий

8.8 High

CVSS3

9.6 Critical

CVSS3

Дефекты

CWE-94

CWE-79

EPSS

Процентиль: 45%

0.00226

Низкий

8.8 High

CVSS3

9.6 Critical

CVSS3

Дефекты

CWE-94

CWE-79