{"id":"CVE-2024-21625","summary":"One-click remote code execution via malicious deep link","details":"SideQuest is a place to get virtual reality applications for Oculus Quest. The SideQuest desktop application uses deep links with a custom protocol (`sidequest://`) to trigger actions in the application from its web contents. Because, prior to version 0.10.35, the deep link URLs were not sanitized properly in all cases, a one-click remote code execution can be achieved in cases when a device is connected, the user is presented with a malicious link and clicks it from within the application. As of version 0.10.35, the custom protocol links within the electron application are now being parsed and sanitized properly.","aliases":["GHSA-3v86-cf9q-x4x7"],"modified":"2026-05-28T03:55:42.409434375Z","published":"2024-01-04T14:48:34.782Z","database_specific":{"cwe_ids":["CWE-20"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/21xxx/CVE-2024-21625.json","cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/21xxx/CVE-2024-21625.json"},{"type":"ADVISORY","url":"https://github.com/SideQuestVR/SideQuest/security/advisories/GHSA-3v86-cf9q-x4x7"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-21625"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/sidequestvr/sidequest","events":[{"introduced":"0"},{"fixed":"24e7a1dc3d0d2c23c946eced1d19595a073e85c1"}]}],"versions":["v0.10.33","v0.10.32","v0.10.31","v0.10.30","v0.10.29","v0.10.28","v0.10.27","v0.10.26","v0.10.25","v0.10.24","v0.10.23","v0.10.22","v0.10.21","v0.10.20","v0.10.19","v0.10.18","v0.10.17","v0.10.16","v0.10.15","v0.10.14","v0.10.13"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-21625.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}