CVE-2025-55204

HighPublic PoC

Published: 05 January 2026

Published

05 January 2026

Modified

12 January 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0050 66.2th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

muffon is a cross-platform music streaming client for desktop. Versions prior to 2.3.0 have a one-click Remote Code Execution (RCE) vulnerability in. An attacker can exploit this issue by embedding a specially crafted `muffon://` link on any website they control.…

When a victim visits the site or clicks the link, the browser triggers Muffon’s custom URL handler, causing the application to launch and process the URL. This leads to RCE on the victim's machine without further interaction. Version 2.3.0 patches the issue.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the RCE vulnerability by requiring timely patching of the flawed muffon:// URL handler as fixed in version 2.3.0.

SI-10 Information Input Validation good match

prevent

Addresses the root cause by enforcing validation of inputs processed by the custom URL handler to block malicious code injection.

SI-3 Malicious Code Protection partial match

detectrespond

Provides malicious code protection at system entry points to detect and eradicate code executed from exploited muffon:// links.

Security SummaryAI

CVE-2025-55204 is a one-click remote code execution (RCE) vulnerability affecting Muffon, a cross-platform music streaming client for desktop environments. Versions prior to 2.3.0 are vulnerable due to insufficient validation in the application's custom URL handler for muffon:// scheme links. The issue is classified under CWE-94 (code injection) and CWE-79 (cross-site scripting), with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high severity from network-accessible exploitation requiring minimal user interaction.

An attacker who controls a website can embed a specially crafted muffon:// link, which triggers when a victim visits the site or clicks the link. This causes the victim's browser to invoke Muffon's custom URL handler, launching the application and processing the malicious payload, resulting in arbitrary code execution on the victim's machine without additional interaction. No attacker privileges are required, enabling unauthenticated remote exploitation against users with Muffon installed.

The GitHub security advisory (GHSA-gc3f-gqph-522q) and release notes for version 2.3.0 confirm that updating to Muffon 2.3.0 fully patches the vulnerability by addressing the URL handler flaw. Practitioners should advise users to upgrade immediately and avoid clicking untrusted muffon:// links, with a proof-of-concept available via the referenced Google Drive file for testing purposes.

Details

CWE(s): CWE-94 CWE-79

Affected Products

muffon

≤ 2.3.0

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

Why these techniques?

CVE-2025-55204 enables remote code execution by exploiting a vulnerability in the Muffon desktop client's custom URL handler, directly facilitating T1203: Exploitation for Client Execution via malicious muffon:// links from websites.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://drive.google.com/file/d/1eCPCQ6leuVM_vecfofFv04c0t9isCBqR/view?usp=sharing
Exploit · security-advisories@github.com
https://github.com/staniel359/muffon/releases/tag/v2.3.0
Product, Release Notes · security-advisories@github.com
https://github.com/staniel359/muffon/security/advisories/GHSA-gc3f-gqph-522q
Exploit, Third Party Advisory · security-advisories@github.com