Enviar #637028: GitHub AiondaDotCom/mcp-ssh <=v1.0.3 Command Injectioninformación

TítuloGitHub AiondaDotCom/mcp-ssh <=v1.0.3 Command Injection
DescripciónAiondaDotCom/mcp-ssh is a MCP (Model Context Protocol) server that provides LLMs with access to functionalities of ssh clients that can interact with remote ssh servers such as sending commands or copy files. Command injection vulnerabilities exist in the tools. The issue arises from improper handling of user-supplied input passed to `child_process.exec` when constructing the SSH client command. While the implementation attempted to sanitize double quotes, this can be bypassed using command substitution constructs such as `$(...)`, allowing attackers to inject arbitrary system commands.
Fuente⚠️ https://github.com/AiondaDotCom/mcp-ssh/commit/cd2566a948b696501abfa6c6b03462cac5fb43d8
Usuario
 amgisn (UID 89170)
Sumisión2025-08-18 22:18 (hace 8 meses)
Moderación2025-08-29 08:59 (10 days later)
EstadoAceptado
Entrada de VulDB321862 [AiondaDotCom mcp-ssh hasta 1.0.3 server-simple.mjs escalada de privilegios]
Puntos20

AnteriorVisión De ConjuntoPróximo

Do you want to use VulDB in your project?

Use the official API to access entries easily!