Submit #804027: BurtTheCoder @burtthecoder/mcp-dnstwist 1.0.4 Command Injectioninfo

TitleBurtTheCoder @burtthecoder/mcp-dnstwist 1.0.4 Command Injection
DescriptionAn OS command injection vulnerability (CWE-78) has been identified in @burtthecoder/mcp-dnstwist version 1.0.4, specifically within the fuzz_domain MCP tool in src/index.ts. The tool accepts user-controlled parameters such as nameservers, joins them into a shell command string using args.join(' '), and executes the resulting string via child_process.exec without shell escaping or argument-vector separation. An attacker with network access to the MCP interface can inject shell metacharacters into parameters like nameservers to execute arbitrary operating system commands with the privileges of the server process, leading to full host compromise, including data exposure, integrity loss, and service disruption. No fixed version is available at the time of reporting.
Source⚠️ https://github.com/BurtTheCoder/mcp-dnstwist/issues/13
User
 _Eternity_ (UID 97332)
Submission04/14/2026 04:11 (3 months ago)
Moderation04/29/2026 18:49 (16 days later)
StatusAccepted
VulDB entry360185 [BurtTheCoder mcp-dnstwist up to 1.0.4 MCP Interface src/index.ts fuzz_domain Request os command injection]
Points20

Might our Artificial Intelligence support you?

Check our Alexa App!