プラットフォーム
other
コンポーネント
muffon
修正版
2.3.1
CVE-2025-55204 describes a critical Remote Code Execution (RCE) vulnerability affecting Muffon, a cross-platform music streaming client for desktop. An attacker can exploit this flaw by crafting a malicious muffon:// link, leading to arbitrary code execution on the victim's machine without requiring further interaction. This vulnerability impacts versions of Muffon prior to 2.3.0, and a patch is available in version 2.3.0.
The impact of CVE-2025-55204 is severe due to its ease of exploitation and the potential for complete system compromise. An attacker can embed a specially crafted muffon:// link on any website they control. When a victim clicks this link or visits the website, Muffon's custom URL handler is triggered, allowing the attacker to execute arbitrary code. This could lead to data theft, malware installation, or complete control of the victim's system. The lack of user interaction required for exploitation significantly increases the attack surface and potential for widespread compromise. This vulnerability shares similarities with other custom URL scheme vulnerabilities where improper handling of user-supplied data leads to code execution.
CVE-2025-55204 was publicly disclosed on 2026-01-05. There is currently no indication of active exploitation campaigns targeting this vulnerability. No public proof-of-concept (PoC) code has been released as of the disclosure date. The vulnerability has not been added to the CISA KEV catalog. The CVSS score of 8.8 (HIGH) reflects the significant risk posed by this vulnerability.
Users of Muffon running versions prior to 2.3.0 are at risk, particularly those who frequently browse the internet or click on links from untrusted sources. Shared hosting environments where multiple users share the same system are also at increased risk, as a single compromised user could potentially compromise the entire system.
• windows / supply-chain: Monitor PowerShell for unusual process creation related to Muffon. Check Autoruns for suspicious entries associated with the muffon:// protocol.
Get-Process -Name Muffon | Select-Object -ExpandProperty Path• generic web: Examine web server access logs for requests containing muffon:// URLs. Inspect response headers for unexpected content or redirection.
grep 'muffon://' /var/log/apache2/access.logdisclosure
エクスプロイト状況
EPSS
0.36% (58% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2025-55204 is to immediately upgrade Muffon to version 2.3.0 or later, which contains the fix. If upgrading is not immediately feasible, consider blocking muffon:// links at the network level or within web filters. Educate users to be cautious about clicking links from untrusted sources. While a direct workaround is not available, monitoring network traffic for unusual muffon:// requests could provide early detection. After upgrading, confirm the vulnerability is resolved by attempting to trigger the URL scheme with a benign payload and verifying that Muffon does not execute any code.
Actualice muffon a la versión 2.3.0 o superior. Esta versión corrige la vulnerabilidad de ejecución remota de código. Descargue la última versión desde el sitio web oficial o a través del gestor de paquetes correspondiente.
脆弱性分析と重要アラートをメールでお届けします。
CVE-2025-55204 is a Remote Code Execution (RCE) vulnerability in Muffon versions prior to 2.3.0. A malicious muffon:// link can trigger arbitrary code execution on a victim's machine.
You are affected if you are using Muffon version 2.3.0 or earlier. Upgrade to the latest version (2.3.0) to mitigate the risk.
Upgrade Muffon to version 2.3.0 or later. As a temporary measure, block muffon:// links and educate users to avoid clicking suspicious links.
As of the disclosure date, there is no evidence of active exploitation of CVE-2025-55204.
Refer to the Muffon project's official website or GitHub repository for the advisory and release notes related to version 2.3.0.