Enviar #784864: elgentos magento2-dev-mcp <=1.0.2 Command Injectioninformación

Título	elgentos magento2-dev-mcp <=1.0.2 Command Injection
Descripción	A command injection vulnerability exists in elgentos/magento2-dev-mcp due to unsafe use of child_process.execAsync when constructing Magerun2 CLI commands with user-controlled input. Successful exploitation allows attackers to execute arbitrary shell commands with the privileges of the MCP server process. The following MCP tools construct command strings using user-supplied parameters and execute them via child_process.execAsync:  config-show: interpolates path, scope, and scopeId parameters  config-set: interpolates path, value, scope, and scopeId parameters  config-store-get: interpolates path and storeId parameters  config-store-set: interpolates path, value, and storeId parameters  cache-view: interpolates key and type parameters  db-query: interpolates query parameter  dev-module-observer-list: interpolates event parameter  dev-module-create: interpolates vendorNamespace, moduleName, authorName, authorEmail, and description parameters  setup-static-content-deploy: interpolates languages and themes parameters  sys-url-list: interpolates storeId parameter  sys-cron-run: interpolates job and group parameters Because execAsync invokes commands through a system shell, specially crafted input containing shell metacharacters (such as `;`, `&`, or `\|`) may be interpreted as additional commands rather than treated as data. For example, an attacker could supply a malicious value in key to inject arbitrary shell commands, which would then be executed with the privileges of the MCP server process. The vulnerability results from shell-based command execution combined with direct interpolation of untrusted input. In MCP environments, LLM-generated tool parameters influenced by external content may trigger execution of injected commands without direct local user interaction.
Fuente	⚠️ https://github.com/elgentos/magento2-dev-mcp/issues/4
Usuario	Yinci Chen (UID 94659)
Sumisión	2026-03-21 09:59 (hace 21 días)
Moderación	2026-04-05 15:58 (15 days later)
Estado	Aceptado
Entrada de VulDB	355395 [elgentos magento2-dev-mcp hasta 1.0.2 src/index.ts executeMagerun2Command escalada de privilegios]
Puntos	20

◂ Anterior Visión De Conjunto Próximo ▸

Might our Artificial Intelligence support you?

Check our Alexa App!