| Titre | BurtTheCoder @burtthecoder/mcp-dnstwist 1.0.4 Command Injection |
|---|
| Description | An OS command injection vulnerability (CWE-78) has been identified in @burtthecoder/mcp-dnstwist version 1.0.4, specifically within the fuzz_domain MCP tool in src/index.ts. The tool accepts user-controlled parameters such as nameservers, joins them into a shell command string using args.join(' '), and executes the resulting string via child_process.exec without shell escaping or argument-vector separation. An attacker with network access to the MCP interface can inject shell metacharacters into parameters like nameservers to execute arbitrary operating system commands with the privileges of the server process, leading to full host compromise, including data exposure, integrity loss, and service disruption. No fixed version is available at the time of reporting. |
|---|
| La source | ⚠️ https://github.com/BurtTheCoder/mcp-dnstwist/issues/13 |
|---|
| Utilisateur | _Eternity_ (UID 97332) |
|---|
| Soumission | 14/04/2026 04:11 (il y a 2 mois) |
|---|
| Modérer | 29/04/2026 18:49 (16 days later) |
|---|
| Statut | Accepté |
|---|
| Entrée VulDB | 360185 [BurtTheCoder mcp-dnstwist jusqu’à 1.0.4 MCP Interface src/index.ts fuzz_domain Demande élévation de privilèges] |
|---|
| Points | 20 |
|---|