AFFiNE Remote Code Execution Vulnerability via Custom URL Handling

A remote code execution vulnerability has been identified in AFFiNE versions prior to 0.25.4. This vulnerability allows attackers to execute arbitrary code on a victim's machine by embedding a specially crafted 'affine:' URL on a website. The issue can be exploited in two scenarios: either by a victim visiting a malicious website that automatically redirects to the crafted URL, or by clicking on a link containing the URL embedded on a legitimate site. Once the URL is processed by the AFFiNE app, the embedded payload is executed without any further user interaction.

Impact

Exploitation of this vulnerability allows for one-click remote code execution on the victim's machine, with the executed code running in the context of the user.

Reproduction

To reproduce this vulnerability, embed a crafted 'affine:' URL that includes a 'redirect_uri' parameter pointing to a local executable, such as the Calculator app on macOS. When the link is clicked or the URL is automatically opened by a malicious website, the AFFiNE app processes the URL and executes the specified local file, demonstrating the remote code execution vulnerability.

Remediation

Users can update to AFFiNE version 0.25.4 or later, where this vulnerability has been patched.