Eidos Remote Code Execution Vulnerability via Custom URL Handling
Vulnerability
A remote code execution vulnerability has been identified in the Eidos framework for Personal Data Management, specifically in version 0.21.0 and prior. This vulnerability allows an attacker to execute code on a victim's machine by embedding a specially crafted 'eidos:' URL on a website. When the victim clicks the link, the Eidos application processes the URL, leading to code execution. The issue arises from improper handling of custom URL protocols, which can be exploited to inject and execute JavaScript in the application's renderer process.
Impact
Exploitation of this vulnerability allows for remote code execution on the victim's machine.
Reproduction
To reproduce this vulnerability, embed a crafted 'eidos:' URL into a webpage. The URL should be designed to exploit the application's custom URL handler by injecting JavaScript code. Once the link is clicked, the Eidos application will open and execute the embedded code, leading to remote code execution.
Remediation
As of October 3, 2025, there is no available fix for this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.