| Titel | idachev @idachev/mcp-javadc 1.2.4 Command Injection |
|---|
| Beschreibung | A command injection vulnerability (CWE-78) has been identified in @idachev/mcp-javadc, specifically within the index.js component. An attacker with network access to the MCP/HTTP interface can supply maliciously crafted input through the jarFilePath argument of the decompile-from-jar tool, which flows unsanitized into OS command execution via execPromise when constructing shell commands such as jar tf and jar xf. This allows arbitrary system commands to be executed with the privileges of the server process, leading to full host compromise, including data exposure, integrity loss, and potential service disruption. Versions up to and including 1.2.4 are confirmed affected. |
|---|
| Quelle | ⚠️ https://github.com/idachev/mcp-javadc/issues/7 |
|---|
| Benutzer | BruceJin (UID 96538) |
|---|
| Einreichung | 24.03.2026 10:08 (vor 16 Tagen) |
|---|
| Moderieren | 08.04.2026 16:29 (15 days later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 356241 [idachev mcp-javadc bis 1.2.4 HTTP Interface jarFilePath erweiterte Rechte] |
|---|
| Punkte | 20 |
|---|