| शीर्षक | BurtTheCoder @burtthecoder/mcp-dnstwist 1.0.4 Command Injection |
|---|
| विवरण | An OS command injection vulnerability (CWE-78) has been identified in @burtthecoder/mcp-dnstwist version 1.0.4, specifically within the fuzz_domain MCP tool in src/index.ts. The tool accepts user-controlled parameters such as nameservers, joins them into a shell command string using args.join(' '), and executes the resulting string via child_process.exec without shell escaping or argument-vector separation. An attacker with network access to the MCP interface can inject shell metacharacters into parameters like nameservers to execute arbitrary operating system commands with the privileges of the server process, leading to full host compromise, including data exposure, integrity loss, and service disruption. No fixed version is available at the time of reporting. |
|---|
| स्रोत | ⚠️ https://github.com/BurtTheCoder/mcp-dnstwist/issues/13 |
|---|
| उपयोगकर्ता | _Eternity_ (UID 97332) |
|---|
| सबमिशन | 14/04/2026 04:11 AM (2 महीनों पहले) |
|---|
| संयम | 29/04/2026 06:49 PM (16 days later) |
|---|
| स्थिति | स्वीकृत |
|---|
| VulDB प्रविष्टि | 360185 [BurtTheCoder mcp-dnstwist तक 1.0.4 MCP Interface src/index.ts fuzz_domain अनुरोध अधिकार वृद्धि] |
|---|
| अंक | 20 |
|---|