CVE-2025-62186: 
NixOS vulnerability analysis and mitigation

Ankitects Anki before version 25.02.5 contains a security vulnerability that allows a crafted shared deck on Windows to execute arbitrary commands when playing audio due to URL scheme mishandling. The vulnerability was discovered and reported by Michael Lappas, and was fixed in version 25.02.5 released in May 2025 (Anki Release).

The vulnerability is tracked as CVE-2025-62186 and has been assigned a CVSS v3.1 base score of 7.8 (HIGH) by NIST with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerability is classified under CWE-829 (Inclusion of Functionality from Untrusted Control Sphere). The issue stems from improper handling of URL schemes that could be exploited when playing audio from shared decks (NVD Database).

The vulnerability allows attackers to execute arbitrary commands on Windows systems through specially crafted shared decks when playing audio. This could lead to complete system compromise with high impacts on confidentiality, integrity, and availability of the affected system (NVD Database).

Users should upgrade to Anki version 25.02.5 or later which fixes the vulnerability. The update also implements additional security measures, including requesting permission before opening links to other applications (eg obsidian://...) (Anki Release).