| शीर्षक | VetCoders mcp-server-semgrep 1.0.0 Command Injection |
|---|
| विवरण | An OS command injection vulnerability (CWE-78) has been identified in mcp-server-semgrep version 1.0.0, specifically within src/index.ts. Multiple MCP tools (including analyze_results, filter_results, export_results, compare_results, scan_directory, and create_rule) accept user‑controlled path or rule arguments, perform only a prefix‑based directory check, and then interpolate the values unsafely into shell command strings executed via child_process.exec. An attacker with network access to the MCP interface can inject shell metacharacters (e.g., ;, #) into these arguments to execute arbitrary operating system commands with the privileges of the server process, leading to full host compromise, including data exposure, integrity loss, and service disruption. No fixed version is available at the time of reporting. |
|---|
| स्रोत | ⚠️ https://github.com/VetCoders/mcp-server-semgrep/issues/12 |
|---|
| उपयोगकर्ता | _Eternity_ (UID 97332) |
|---|
| सबमिशन | 14/04/2026 05:54 AM (2 महीनों पहले) |
|---|
| संयम | 29/04/2026 06:57 PM (16 days later) |
|---|
| स्थिति | स्वीकृत |
|---|
| VulDB प्रविष्टि | 360187 [VetCoders mcp-server-semgrep 1.0.0 MCP Interface src/index.ts पहचान अधिकार वृद्धि] |
|---|
| अंक | 20 |
|---|