AFFiNE, an open-source workspace application, contains a critical one-click remote code execution vulnerability in versions prior to 0.25.4. The vulnerability can be exploited through specially crafted affine: URLs embedded on websites. Attackers can trigger the vulnerability through malicious websites with automatic redirects or by embedding crafted links in legitimate websites. When victims interact with these URLs, the browser invokes AFFiNE's custom URL handler, launching the application and processing the malicious URL, resulting in arbitrary code execution without further user interaction. The vulnerability has been patched in version 0.25.4.