| शीर्षक | PolarVista Xcode-mcp-server 1.0.0 Command Injection |
|---|
| विवरण | An OS command injection vulnerability (CWE-78) has been identified in xcode-mcp-server version 1.0.0, specifically within the build_project and run_tests MCP tools in src/index.ts. The tools accept user-supplied arguments such as projectPath, scheme, configuration, and destination, interpolate them unsafely into shell command strings, and execute the resulting command with child_process.exec without neutralizing shell metacharacters. An attacker with network access to the MCP interface can inject arbitrary operating system commands that execute with the privileges of the server process, leading to full host compromise, including data exposure, integrity loss, and service disruption. No fixed version is available at the time of reporting.
|
|---|
| स्रोत | ⚠️ https://github.com/PolarVista/Xcode-mcp-server/issues/4 |
|---|
| उपयोगकर्ता | _Eternity_ (UID 97332) |
|---|
| सबमिशन | 14/04/2026 02:29 AM (2 महीनों पहले) |
|---|
| संयम | 29/04/2026 03:58 PM (16 days later) |
|---|
| स्थिति | स्वीकृत |
|---|
| VulDB प्रविष्टि | 360145 [PolarVista xcode-mcp-server 1.0.0 MCP Interface src/index.ts build_project/run_tests अनुरोध अधिकार वृद्धि] |
|---|
| अंक | 20 |
|---|