提交 #784864: elgentos magento2-dev-mcp <=1.0.2 Command Injection信息

标题	elgentos magento2-dev-mcp <=1.0.2 Command Injection
描述	A command injection vulnerability exists in elgentos/magento2-dev-mcp due to unsafe use of child_process.execAsync when constructing Magerun2 CLI commands with user-controlled input. Successful exploitation allows attackers to execute arbitrary shell commands with the privileges of the MCP server process. The following MCP tools construct command strings using user-supplied parameters and execute them via child_process.execAsync:  config-show: interpolates path, scope, and scopeId parameters  config-set: interpolates path, value, scope, and scopeId parameters  config-store-get: interpolates path and storeId parameters  config-store-set: interpolates path, value, and storeId parameters  cache-view: interpolates key and type parameters  db-query: interpolates query parameter  dev-module-observer-list: interpolates event parameter  dev-module-create: interpolates vendorNamespace, moduleName, authorName, authorEmail, and description parameters  setup-static-content-deploy: interpolates languages and themes parameters  sys-url-list: interpolates storeId parameter  sys-cron-run: interpolates job and group parameters Because execAsync invokes commands through a system shell, specially crafted input containing shell metacharacters (such as `;`, `&`, or `\|`) may be interpreted as additional commands rather than treated as data. For example, an attacker could supply a malicious value in key to inject arbitrary shell commands, which would then be executed with the privileges of the MCP server process. The vulnerability results from shell-based command execution combined with direct interpolation of untrusted input. In MCP environments, LLM-generated tool parameters influenced by external content may trigger execution of injected commands without direct local user interaction.
来源	⚠️ https://github.com/elgentos/magento2-dev-mcp/issues/4
用户	Yinci Chen (UID 94659)
提交	2026-03-21 09時59分 (20 日前)
管理	2026-04-05 15時58分 (15 days later)
状态	已接受
VulDB条目	355395 [elgentos magento2-dev-mcp 直到 1.0.2 src/index.ts executeMagerun2Command 权限提升]
积分	20

◂ 上一步一览下一步 ▸

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!