| शीर्षक | privsim mcp-test-runner 0.2.0, Commit 83c84ed053f534774f7de935aeaa7698a5e5f9dc Command Injection |
|---|
| विवरण | A command injection vulnerability (CWE-78) has been identified in mcp-test-runner (package @modelcontextprotocol/server-test-runner) version 0.2.0, specifically within the run_tests MCP tool. The tool accepts a user‑supplied command argument and, when a non‑generic framework (e.g., jest, pytest) is selected, executes it via child_process.spawn with shell: true without validation or sanitization. An attacker with network access to the MCP interface can inject arbitrary shell commands into the command parameter, leading to full host compromise, including data exposure, integrity loss, and service disruption. No fixed version is available at the time of reporting.
|
|---|
| स्रोत | ⚠️ https://github.com/privsim/mcp-test-runner/issues/24 |
|---|
| उपयोगकर्ता | BruceJqs (UID 97404) |
|---|
| सबमिशन | 18/04/2026 08:12 AM (2 महीनों पहले) |
|---|
| संयम | 03/05/2026 06:05 PM (15 days later) |
|---|
| स्थिति | स्वीकृत |
|---|
| VulDB प्रविष्टि | 360905 [privsim mcp-test-runner 0.2.0 MCP Interface src/index.ts child_process.spawn command अधिकार वृद्धि] |
|---|
| अंक | 20 |
|---|