GHSA-vf9j-h32g-2764

Описание

Summary

A command injection vulnerability exists in the mcp-package-docs MCP Server. The vulnerability is caused by the unsanitized use of input parameters within a call to child_process.exec, enabling an attacker to inject arbitrary system commands. Successful exploitation can lead to remote code execution under the server process's privileges.

The server constructs and executes shell commands using unvalidated user input directly within command-line strings. This introduces the possibility of shell metacharacter injection (|, >, &&, etc.).

Details

The MCP Server exposes tools to access documentation for several types of packages. An MCP Client can be instructed to execute additional actions for example via prompt injection when asked to read package documentation. Below some example of vulnerable code and different ways to test this vulnerability including a real example of indirect prompt injection that can lead to arbitrary command injection.

Vulnerable code

The following snippet illustrates the vulnerable code pattern used in the MCP Server’s tooling. Note: These is only one instance, but similar patterns may exist elsewhere in the codebase.

Realistic Example - Indirect prompt injection via package docs

1. Create a local go package under home folder (in my setup is /home/ubuntu/)

I created a local package to simplify the PoC.

2. Add prompt instructions in the comment of mypackage/mypackage.go

3. check the doc

4. Verify the file /tmp/TEST1 does not exist (on the host machine):

3. setup your client IDE

4. open the chat and enter the following prompt (it's an example - replace /home/[USER]/ with the correct home folder)

5. run the describe_go_package tool. The request will look like the following:

6. Observe that the response will contain the doc content but will also trigger the describe_go_package tool execution (again) with a malicious payload that can lead to command injection on the host machine
7. run the describe_go_package tool (if you have auto run functionality enabled this will be executed without user interaction)

Result:

7. Confirm that the injected command executed:

Using MCP Inspector

1. Open the MCP Inspector:

2. In MCP Inspector:

   • set transport type: STDIO
   • set the command to npx
   • set the arguments to mcp-package-docs
   • click Connect
   • go to the Tools tab and click List Tools
   • select the describe_go_package tool

3. Verify the file /tmp/TEST does not exist:

5. In the package field, input:

• Click Run Tool

6. Observe the request being sent:

Response:

7. Confirm that the injected command executed:

Remediation

To mitigate this vulnerability, I suggest to avoid using child_process.exec with untrusted input. Instead, use a safer API such as child_process.execFile, which allows you to pass arguments as a separate array — avoiding shell interpretation entirely.

Impact

Command Injection / Remote Code Execution (RCE)

References

• https://equixly.com/blog/2025/03/29/mcp-server-new-security-nightmare/
• https://invariantlabs.ai/blog/mcp-github-vulnerability

Similar Issues

• https://github.com/advisories/GHSA-gjv4-ghm7-q58q
• https://github.com/advisories/GHSA-5w57-2ccq-8w95
• https://github.com/advisories/GHSA-3q26-f695-pp76

Response Timeline

• Received report of security finding 8:19AM (Melbourne/Australia)
• Reviewed report and responded to researcher by 8:47AM requesting vulnerability details
• Received detailed report at 9:33AM
• Investigated and issued a fix at 10:35AM with updated release (v0.1.27, then v0.1.28) shortly after.
• Patched in https://github.com/sammcj/mcp-package-docs/releases/tag/v0.1.28
• As this repo is no longer in active development the package was marked as deprecated on npm and the GitHub repository archived (re-opened to update this report)