| Título | VetCoders mcp-server-semgrep 1.0.0 Command Injection |
|---|
| Descrição | An OS command injection vulnerability (CWE-78) has been identified in mcp-server-semgrep version 1.0.0, specifically within src/index.ts. Multiple MCP tools (including analyze_results, filter_results, export_results, compare_results, scan_directory, and create_rule) accept user‑controlled path or rule arguments, perform only a prefix‑based directory check, and then interpolate the values unsafely into shell command strings executed via child_process.exec. An attacker with network access to the MCP interface can inject shell metacharacters (e.g., ;, #) into these arguments to execute arbitrary operating system commands with the privileges of the server process, leading to full host compromise, including data exposure, integrity loss, and service disruption. No fixed version is available at the time of reporting. |
|---|
| Fonte | ⚠️ https://github.com/VetCoders/mcp-server-semgrep/issues/12 |
|---|
| Utilizador | _Eternity_ (UID 97332) |
|---|
| Submissão | 14/04/2026 05h54 (há 2 meses) |
|---|
| Moderação | 29/04/2026 18h57 (16 days later) |
|---|
| Estado | Aceite |
|---|
| Entrada VulDB | 360187 [VetCoders mcp-server-semgrep 1.0.0 MCP Interface src/index.ts ID Elevação de Privilégios] |
|---|
| Pontos | 20 |
|---|