wonderwhy-er DesktopCommanderMCP up to 0.2.13 Absolute Path src/command-manager.ts extractBaseCommand os command injection

Summaryinfo

A vulnerability identified as critical has been detected in wonderwhy-er DesktopCommanderMCP up to 0.2.13. The impacted element is the function extractBaseCommand of the file src/command-manager.ts of the component Absolute Path Handler. Performing a manipulation results in os command injection. This vulnerability is cataloged as CVE-2025-11490. It is possible to initiate the attack remotely. Furthermore, there is an exploit available. The vendor explains: "The usual use case is that AI is asked to do something, picks commands itself, and typically uses simple command names without absolute paths. It's curious why a user would ask the model to bypass restrictions this way. (...) This could potentially be a problem, but we are yet to hear reports of this being an issue in actual workflows. We'll leave this issue open for situations where people may report this as a problem for the long term."

Detailsinfo

A vulnerability classified as critical has been found in wonderwhy-er DesktopCommanderMCP up to 0.2.13. This affects the function extractBaseCommand of the file src/command-manager.ts of the component Absolute Path Handler. The manipulation with an unknown input leads to a os command injection vulnerability. CWE is classifying the issue as CWE-78. The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. This is going to have an impact on confidentiality, integrity, and availability.

The weakness was shared by Max Alster-Caminer (crem) with Mantel as 218. The advisory is shared at github.com. This vulnerability is uniquely identified as CVE-2025-11490. The exploitability is told to be easy. It is possible to initiate the attack remotely. Technical details and a public exploit are known. MITRE ATT&CK project uses the attack technique T1202 for this issue.

The exploit is shared for download at github.com. It is declared as proof-of-concept. The vendor explains: "The usual use case is that AI is asked to do something, picks commands itself, and typically uses simple command names without absolute paths. It's curious why a user would ask the model to bypass restrictions this way. (...) This could potentially be a problem, but we are yet to hear reports of this being an issue in actual workflows. We'll leave this issue open for situations where people may report this as a problem for the long term."

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

The vulnerability is also documented in the vulnerability database at EUVD (EUVD-2025-33288). Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Productinfo

Vendor

• wonderwhy-er

Name

• DesktopCommanderMCP

Version

• 0.2.0
• 0.2.1
• 0.2.2
• 0.2.3
• 0.2.4
• 0.2.5
• 0.2.6
• 0.2.7
• 0.2.8
• 0.2.9
• 0.2.10
• 0.2.11
• 0.2.12
• 0.2.13

Website

• Product: https://github.com/wonderwhy-er/DesktopCommanderMCP/

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Submitinfo

Accepted

• Submit #668005: wonderwhy-er DesktopCommanderMCP 0.2.13 OS Command Injection (by crem)

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Discussion