| Título | BurtTheCoder @burtthecoder/mcp-dnstwist 1.0.4 Command Injection |
|---|
| Descripción | An OS command injection vulnerability (CWE-78) has been identified in @burtthecoder/mcp-dnstwist version 1.0.4, specifically within the fuzz_domain MCP tool in src/index.ts. The tool accepts user-controlled parameters such as nameservers, joins them into a shell command string using args.join(' '), and executes the resulting string via child_process.exec without shell escaping or argument-vector separation. An attacker with network access to the MCP interface can inject shell metacharacters into parameters like nameservers to execute arbitrary operating system commands with the privileges of the server process, leading to full host compromise, including data exposure, integrity loss, and service disruption. No fixed version is available at the time of reporting. |
|---|
| Fuente | ⚠️ https://github.com/BurtTheCoder/mcp-dnstwist/issues/13 |
|---|
| Usuario | _Eternity_ (UID 97332) |
|---|
| Sumisión | 2026-04-14 04:11 (hace 2 meses) |
|---|
| Moderación | 2026-04-29 18:49 (16 days later) |
|---|
| Estado | Aceptado |
|---|
| Entrada de VulDB | 360185 [BurtTheCoder mcp-dnstwist hasta 1.0.4 MCP Interface src/index.ts fuzz_domain Solicitud escalada de privilegios] |
|---|
| Puntos | 20 |
|---|