| タイトル | Toowiredd chatgpt-mcp-server 0.1.0 OS Command Injection |
|---|
| 説明 | A command injection vulnerability (CWE-78) has been identified in chatgpt-mcp-server, specifically within the docker.service.ts component. An attacker with network access to the MCP/HTTP interface can supply maliciously crafted input through various tool arguments—such as container names, image names, or commands—which flow unsanitized into OS command execution via execAsync when constructing Docker commands. This allows arbitrary system commands to be executed with the privileges of the server process, leading to full host compromise, including data exposure, integrity loss, and potential service disruption. Versions up to and including 0.1.0 are confirmed affected. |
|---|
| ソース | ⚠️ https://github.com/Toowiredd/chatgpt-mcp-server/issues/8 |
|---|
| ユーザー | MidA (UID 96794) |
|---|
| 送信 | 2026年04月07日 10:31 (21 日 ago) |
|---|
| モデレーション | 2026年04月26日 09:03 (19 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 359636 [Toowiredd chatgpt-mcp-server 迄 0.1.0 MCP/HTTP docker.service.ts 特権昇格] |
|---|
| ポイント | 20 |
|---|