CVE-2025-55322: OmniParser Remote Code Execution Vulnerability

Overview

Severity

High (CVSS 7.3)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C

Category

Remote Code Execution

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2025-Sep

Released

2025-09-24

EPSS Score

0.13% (percentile: 32.7%)

Description

Binding to an unrestricted ip address in GitHub allows an unauthorized attacker to execute code over a network.

FAQ

According to the CVSS metrics, successful exploitation of this vulnerability could lead to some loss of confidentiality (C:L), integrity (I:L) and availability (A:L). What does that mean for this vulnerability? While we cannot rule out the impact to Confidentiality, Integrity, and Availability, the ability to exploit this vulnerability by itself is limited. An attacker would need to combine this with other vulnerabilities to perform an attack.

Affected Products (1)

Other

• OmniParser

Security Updates (2)

• Release Notes
• Release Notes

Acknowledgments

<a href="https://www.linkedin.com/in/aonanguan/">Aonan Guan</a>, <a href="https://www.linkedin.com/in/gabriellawang/">Lei Wang</a>

Revision History

• 2025-09-24: Information published.