Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-3ch2-jxxc-v4xf

GitHub Security Advisory

@akoskm/create-mcp-server-stdio is vulnerable to MCP Server Command Injection through `exec` API

✓ GitHub Reviewed CRITICAL Has CVE
View on GitHub

Advisory Details

# Command Injection in MCP Server

The MCP Server at https://github.com/akoskm/create-mcp-server-stdio is written in a way that is vulnerable to command injection vulnerability attacks as part of some of its MCP Server tool definition and implementation.

## Vulnerable tool

The MCP Server exposes the tool `which-app-on-port` which relies on Node.js child process API `exec` which is an unsafe and vulnerable API if concatenated with untrusted user input.

Vulnerable line of code: https://github.com/akoskm/create-mcp-server-stdio/blob/main/src/index.ts#L24-L40

```js
server.tool("which-app-on-port", { port: z.number() }, async ({ port }) => {
const result = await new Promise<ProcessInfo>((resolve, reject) => {
exec(`lsof -t -i tcp:${port}`, (error, pidStdout) => {
if (error) {
reject(error);
return;
}
const pid = pidStdout.trim();
exec(`ps -p ${pid} -o comm=`, (error, stdout) => {
if (error) {
reject(error);
return;
}
resolve({ command: stdout.trim(), pid });
});
});
});
```

## Exploitation

When LLMs are tricked through prompt injection (and other techniques and attack vectors) to call the tool with input that uses special shell characters such as `; rm -rf /tmp;#` (be careful actually executing this payload) and other payload variations, the full command-line text will be interepted by the shell and result in other commands except of `ps` executing on the host running the MCP Server.

Reference example from prior security research on this topic:

![Cursor defined MCP Server vulnerable to command injection](https://res.cloudinary.com/snyk/image/upload/f_auto,w_2560,q_auto/v1747081395/Screenshot_2025-05-07_at_9.22.11_AM_d76kvm.png)

## Impact

User initiated and remote command injection on a running MCP Server.

## Recommendation

- Don't use `exec`. Use `execFile` instead, which pins the command and provides the arguments as array elements.
- If the user input is not a command-line flag, use the `--` notation to terminate command and command-line flag, and indicate that the text after the `--` double dash notation is benign value.

## References and Prior work

1. [Exploiting MCP Servers Vulnerable to Command Injection](https://snyk.io/articles/exploiting-mcp-servers-vulnerable-to-command-injection/)
2. Liran's [Node.js Secure Coding: Defending Against Command Injection Vulnerabilities](https://www.nodejs-security.com/book/command-injection)

##

Disclosed by [Liran Tal](https://lirantal.com)

Affected Packages

npm @akoskm/create-mcp-server-stdio
Affected versions: 0 (fixed in 0.0.13)

Related CVEs

CVE-2025-54994

Key Information

GHSA ID
GHSA-3ch2-jxxc-v4xf
Published
September 8, 2025 7:42 PM
Last Modified
September 8, 2025 7:42 PM
CVSS Score
9.0 /10
Primary Ecosystem
npm
Primary Package
@akoskm/create-mcp-server-stdio
GitHub Reviewed
✓ Yes

Dataset

Last updated: September 9, 2025 6:37 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.