| 제목 | VetCoders mcp-server-semgrep 1.0.0 Command Injection |
|---|
| 설명 | An OS command injection vulnerability (CWE-78) has been identified in mcp-server-semgrep version 1.0.0, specifically within src/index.ts. Multiple MCP tools (including analyze_results, filter_results, export_results, compare_results, scan_directory, and create_rule) accept user‑controlled path or rule arguments, perform only a prefix‑based directory check, and then interpolate the values unsafely into shell command strings executed via child_process.exec. An attacker with network access to the MCP interface can inject shell metacharacters (e.g., ;, #) into these arguments to execute arbitrary operating system commands with the privileges of the server process, leading to full host compromise, including data exposure, integrity loss, and service disruption. No fixed version is available at the time of reporting. |
|---|
| 원천 | ⚠️ https://github.com/VetCoders/mcp-server-semgrep/issues/12 |
|---|
| 사용자 | _Eternity_ (UID 97332) |
|---|
| 제출 | 2026. 04. 14. AM 05:54 (2 개월 ago) |
|---|
| 모더레이션 | 2026. 04. 29. PM 06:57 (16 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 360187 [VetCoders mcp-server-semgrep 1.0.0 MCP Interface src/index.ts 아이디 권한 상승] |
|---|
| 포인트들 | 20 |
|---|