Submit #802138: jackwrichards fastly-mcp-server 6f3d0b0e654fc51076badc7fa16c03c461f95620 Command Injectioninfo

Titlejackwrichards fastly-mcp-server 6f3d0b0e654fc51076badc7fa16c03c461f95620 Command Injection
DescriptionSource-code review of jackwrichards/FastlyMCP confirms that attacker-controlled MCP request data reaches a shell-executed Fastly CLI command. The fastly_cli tool accepts an arbitrary command string, appends it to a PowerShell command line, and executes it through child_process.exec. Because the input is interpreted by PowerShell, an attacker can inject additional commands and execute arbitrary OS commands with the privileges of the MCP server process.
Source⚠️ https://github.com/jackwrichards/FastlyMCP/issues/3
User
 CPT_Penner (UID 97246)
Submission04/10/2026 16:27 (3 months ago)
Moderation04/27/2026 17:32 (17 days later)
StatusAccepted
VulDB entry359820 [jackwrichards FastlyMCP up to 6f3d0b0e654fc51076badc7fa16c03c461f95620 fastly_cli Tool fastly-mcp.mjs command os command injection]
Points20

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!