| Título | wonderwhy-er DesktopCommanderMCP 0.2.37 Denial of Service |
|---|
| Descripción | Summary
The start_search tool in DesktopCommanderMCP is vulnerable to Regular Expression Denial of Service (ReDoS) when performing content searches against Excel (.xlsx) or DOCX (.docx) files. The user-supplied pattern parameter is directly compiled into a JavaScript RegExp object via new RegExp(pattern) without any protection against catastrophic backtracking. A malicious pattern such as (a+)+$ applied against crafted file content causes the Node.js event loop to block indefinitely at 100% CPU, rendering the entire MCP server unresponsive.
Note: The ripgrep binary used for plain-text file searching handles regex safely with its own engine and is not vulnerable to ReDoS. This vulnerability only affects the JavaScript-based Excel and DOCX search code paths.
Detail
DesktopCommanderMCP provides AI programming assistants (such as Claude, Gemini, and Cursor) with file system and terminal operations via the Model Context Protocol. The start_search tool supports content searching across multiple file types. When searchType is set to content and the search scope includes Excel or DOCX files (via filePattern or rootPath), the server uses JavaScript's native RegExp engine to match the user-supplied pattern against extracted cell/paragraph text.
The code wraps the new RegExp(pattern) call in a try-catch, but this only catches syntax errors (e.g., [unclosed). Patterns that are syntactically valid but exhibit catastrophic backtracking — such as (a+)+$, (a|a)*$, or (\w+\s?)*$ — pass the check and are executed against file content. When such a pattern encounters a near-matching but ultimately non-matching string (e.g., aaaaaaaaaaaaaaaaaaaaaaaaaaaaaab), the regex engine enters exponential backtracking, blocking the single-threaded Node.js event loop indefinitely.
Clarified: This attack does not require OS-level shell access. The practically feasible triggering path is: an attacker initiates a prompt injection into the AI agent integrated with DesktopCommanderMCP, causing the agent to invoke the start_search tool with a ReDoS payload pattern targeting a directory known to contain Excel or DOCX files. Alternatively, a chained attack could first write a crafted .docx file to the target directory (using the agent's file-write capabilities) and then trigger the search. No direct file system access by the attacker is required.
Vulnerable Code
There are two instances of the same vulnerable pattern — one for Excel search and one for DOCX search.
Instance 1: Excel Search (searchExcelFiles)
Version: Latest
File: src/search-manager.ts (lines 339-357)
private async searchExcelFiles(
rootPath: string,
pattern: string,
ignoreCase: boolean,
maxResults?: number,
filePattern?: string
): Promise<SearchResult[]> {
const results: SearchResult[] = [];
// Build regex for matching content
const flags = ignoreCase ? 'i' : '';
let regex: RegExp;
try {
regex = new RegExp(pattern, flags);
} catch {
// If pattern is not valid regex, escape it for literal matching
const escaped = pattern.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
regex = new RegExp(escaped, flags);
}
Instance 2: DOCX Search (searchDocxFiles)
Version: Latest
File: src/search-manager.ts (lines 523-539)
private async searchDocxFiles(
rootPath: string,
pattern: string,
ignoreCase: boolean,
maxResults?: number,
filePattern?: string
): Promise<SearchResult[]> {
const results: SearchResult[] = [];
const flags = ignoreCase ? 'i' : '';
let regex: RegExp;
try {
regex = new RegExp(pattern, flags);
} catch {
const escaped = pattern.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
regex = new RegExp(escaped, flags);
}
The exploitation method for this vulnerability is detailed in https://github.com/wonderwhy-er/DesktopCommanderMCP/issues/375.
|
|---|
| Fuente | ⚠️ https://github.com/wonderwhy-er/DesktopCommanderMCP/issues/375 |
|---|
| Usuario | skywings (UID 98274) |
|---|
| Sumisión | 2026-05-15 09:14 (hace 20 días) |
|---|
| Moderación | 2026-06-02 17:40 (18 days later) |
|---|
| Estado | Aceptado |
|---|
| Entrada de VulDB | 367960 [wonderwhy-er DesktopCommanderMCP hasta 0.2.38 start_search src/search-manager.ts SearchResult[] denegación de servicio] |
|---|
| Puntos | 20 |
|---|