Platform
other
Component
dive
Fixed in
0.9.1
CVE-2025-58176 describes a Remote Code Execution (RCE) vulnerability in Dive, an open-source MCP Host Desktop Application. This flaw allows an attacker to execute arbitrary code on a victim's system by exploiting a vulnerability in how the application handles custom URLs. The vulnerability impacts versions 0.9.0 through 0.9.3, and a fix is available in version 0.9.4.
The impact of this vulnerability is significant, as it allows for complete remote code execution. An attacker can leverage this flaw to install malware, steal sensitive data, or gain persistent access to the victim's system. The attack vector is particularly concerning, as it can be triggered simply by visiting a malicious website or clicking on a crafted link embedded within seemingly legitimate content. This makes it easy to trick users into triggering the vulnerability without their knowledge. The attack does not require any authentication or complex exploitation techniques, making it accessible to a wide range of attackers.
CVE-2025-58176 was publicly disclosed on September 3, 2025. No public proof-of-concept (PoC) code has been released as of this date. The vulnerability's ease of exploitation and potential impact suggest a medium probability of exploitation, although active campaigns are not currently confirmed. It is not listed on the CISA KEV catalog.
Exploit Status
EPSS
0.29% (52% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-58176 is to upgrade Dive to version 0.9.4 or later, which contains the fix for this vulnerability. If upgrading is not immediately feasible, consider implementing a temporary workaround by blocking access to external URLs within the Dive application. This can be achieved through network-level firewalls or proxy configurations. Additionally, educate users to be cautious about clicking on links from untrusted sources and to verify the legitimacy of websites before visiting them. After upgrading, confirm the fix by attempting to trigger the vulnerability with a known malicious URL and verifying that the application no longer executes code.
Actualice Dive a la versión 0.9.4 o superior. Esta versión corrige la vulnerabilidad de ejecución remota de código causada por el procesamiento incorrecto de URLs personalizadas. Descargue la última versión desde el sitio web oficial o el repositorio del proyecto.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-58176 is a Remote Code Execution vulnerability in Dive versions 0.9.0 through 0.9.3. An attacker can execute arbitrary code by exploiting a flaw in URL handling.
You are affected if you are using Dive versions 0.9.0, 0.9.1, 0.9.2, or 0.9.3. Upgrade to version 0.9.4 or later to mitigate the risk.
Upgrade Dive to version 0.9.4 or later. As a temporary workaround, block access to external URLs within the Dive application.
Active exploitation is not currently confirmed, but the vulnerability's ease of exploitation suggests a potential risk.
Refer to the official Dive project repository and release notes for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.