CVE-2025-55204

CRITICAL SEVERITY

CVSS Score & Metrics

Base Score

9.6 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H                                    

Vulnerability Description

muffon is a cross-platform music streaming client for desktop. Versions prior to 2.3.0 have a one-click Remote Code Execution (RCE) vulnerability in. An attacker can exploit this issue by embedding a specially crafted `muffon://` link on any website they control. When a victim visits the site or clicks the link, the browser triggers Muffon’s custom URL handler, causing the application to launch and process the URL. This leads to RCE on the victim's machine without further interaction. Version 2.3.0 patches the issue.

Vulnerability Details

Published Date

January 05, 2026

Last Modified

January 12, 2026

CWE ID

CWE-94

Source

NVD

Vendor

muffon

Product

muffon

External References

https://drive.google.com/file/d/1eCPCQ6leuVM_vecfofFv04c0t9isCBqR/view?usp=sharing
https://github.com/staniel359/muffon/releases/tag/v2.3.0
https://github.com/staniel359/muffon/security/advisories/GHSA-gc3f-gqph-522q

CVE-2025-55204

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment