Submit #804413: eyal-gor p_69_branch_monkey_mcp d77e757 Command Injectioninfo

Titleeyal-gor p_69_branch_monkey_mcp d77e757 Command Injection
DescriptionThe time-machine preview feature creates a temporary worktree for a requested commit and optionally starts a dev server. If the caller provides dev_script, the server does: command = request.dev_script.replace("{port}", str(port)) subprocess.Popen(command, shell=True, cwd=str(work_path), ...) Because the string is executed through the system shell, metacharacters such as ;, &&, $(), or shell redirection are interpreted. An attacker only needs to provide any valid local Git repository path and a valid commit SHA to turn this endpoint into arbitrary OS command execution.
Source⚠️ https://github.com/eyal-gor/p_69_branch_monkey_mcp/issues/8
User
 LargeW (UID 97302)
Submission04/14/2026 15:20 (3 months ago)
Moderation05/01/2026 11:35 (17 days later)
StatusAccepted
VulDB entry360543 [eyal-gor p_69_branch_monkey_mcp up to 69bc71874ce40050ef45fde5a435855f18af3373 Preview Endpoint advanced.py dev_script os command injection]
Points20

Do you want to use VulDB in your project?

Use the official API to access entries easily!