| Название | VetCoders mcp-server-semgrep 1.0.0 Command Injection |
|---|
| Описание | An OS command injection vulnerability (CWE-78) has been identified in mcp-server-semgrep version 1.0.0, specifically within src/index.ts. Multiple MCP tools (including analyze_results, filter_results, export_results, compare_results, scan_directory, and create_rule) accept user‑controlled path or rule arguments, perform only a prefix‑based directory check, and then interpolate the values unsafely into shell command strings executed via child_process.exec. An attacker with network access to the MCP interface can inject shell metacharacters (e.g., ;, #) into these arguments to execute arbitrary operating system commands with the privileges of the server process, leading to full host compromise, including data exposure, integrity loss, and service disruption. No fixed version is available at the time of reporting. |
|---|
| Источник | ⚠️ https://github.com/VetCoders/mcp-server-semgrep/issues/12 |
|---|
| Пользователь | _Eternity_ (UID 97332) |
|---|
| Представление | 14.04.2026 05:54 (2 месяцы назад) |
|---|
| Модерация | 29.04.2026 18:57 (16 days later) |
|---|
| Статус | принято |
|---|
| Запись VulDB | 360187 [VetCoders mcp-server-semgrep 1.0.0 MCP Interface src/index.ts ИД эскалация привилегий] |
|---|
| Баллы | 20 |
|---|