| 제목 | BurtTheCoder @burtthecoder/mcp-dnstwist 1.0.4 Command Injection |
|---|
| 설명 | An OS command injection vulnerability (CWE-78) has been identified in @burtthecoder/mcp-dnstwist version 1.0.4, specifically within the fuzz_domain MCP tool in src/index.ts. The tool accepts user-controlled parameters such as nameservers, joins them into a shell command string using args.join(' '), and executes the resulting string via child_process.exec without shell escaping or argument-vector separation. An attacker with network access to the MCP interface can inject shell metacharacters into parameters like nameservers to execute arbitrary operating system commands with the privileges of the server process, leading to full host compromise, including data exposure, integrity loss, and service disruption. No fixed version is available at the time of reporting. |
|---|
| 원천 | ⚠️ https://github.com/BurtTheCoder/mcp-dnstwist/issues/13 |
|---|
| 사용자 | _Eternity_ (UID 97332) |
|---|
| 제출 | 2026. 04. 14. AM 04:11 (2 개월 ago) |
|---|
| 모더레이션 | 2026. 04. 29. PM 06:49 (16 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 360185 [BurtTheCoder mcp-dnstwist 까지 1.0.4 MCP Interface src/index.ts fuzz_domain 요청 권한 상승] |
|---|
| 포인트들 | 20 |
|---|