Yinci Chen

**Nome do Software Vulnerável e Versões Afetadas** crazyrabbitLTC mcp-code-review-server versões anteriores a 0.1.1 **Descrição** Uma falha de injeção de comando existe no componente RepoMix Command Handler, especificamente na função `executeRepomix()` do arquivo `src/repomix.ts`. Este problema permite que um invasor remoto realize manipulações que resultam na execução de comandos não autorizados. **Recomendações** Como medida paliativa temporária, restrinja o uso da função `executeRepomix()` até que uma correção esteja disponível. No momento, não há informações sobre uma versão mais recente que contenha a correção para esta vulnerabilidade.

**Nome do Software Vulnerável e Versões Afetadas** awesome-cursor-mpc-server versões anteriores a 2.0.2 **Descrição** Uma falha no componente Ccode-Review Tool permite a injeção remota de comandos. O problema existe na função `runCodeReviewTool()` localizada no arquivo `src/tools/codeReview.ts`, onde a manipulação inadequada pode levar à execução de comandos arbitrários. **Recomendações** Como medida paliativa temporária, restrinja o uso da função `runCodeReviewTool()` até que uma correção esteja disponível.

Name of the Vulnerable Software and Affected Versions awwaiid mcp-server-taskwarrior versões até 1.0.1 Description Um problema de segurança existe no awwaiid mcp-server-taskwarrior até a versão 1.0.1. A função `server.setRequestHandler` dentro do arquivo `index.ts` é suscetível a injeção de comando através da manipulação do argumento `Identifier`. Isso requer acesso local para executar o ataque. O patch identificado como 1ee3d282debfa0a99afeb41d22c4b2fd5a3148f2 resolve este problema. Recommendations Aplique o patch 1ee3d282debfa0a99afeb41d22c4b2fd5a3148f2 para resolver esta vulnerabilidade.

Name of the Vulnerable Software and Affected Versions elgentos magento2-dev-mcp versions up to 1.0.2 Description A flaw exists in elgentos magento2-dev-mcp up to version 1.0.2 due to a command injection issue within the `executeMagerun2Command` function located in the src/index.ts file. This manipulation can be exploited locally. Recommendations Apply the patch aa1ffcc0aea1b212c69787391783af27df15ae9d to resolve the issue.

Name of the Vulnerable Software and Affected Versions Nor2-io heim-mcp versões até 0.1.3 Description Uma falha existe na função `registerTools` dentro do arquivo `src/tools.ts` do componente `new heim application/deploy heim application/deploy heim application to cloud`. Isso pode levar à injeção de comandos do sistema operacional, exigindo acesso local para exploração. A questão foi divulgada publicamente. Recommendations Instale o patch c321d8af25f77668781e6ccb43a1336f9185df37 para resolver este problema.

Name of the Vulnerable Software and Affected Versions efforthye fast-filesystem-mcp versões até 3.5.1 Description Uma falha de segurança existe no efforthye fast-filesystem-mcp até a versão 3.5.1. A função `handleGetDiskUsage` dentro do arquivo src/index.ts é suscetível a injeção de comandos. Esta falha é explorável remotamente. O exploit foi divulgado publicamente e pode ser usado para ataques. Recommendations Atualize o efforthye fast-filesystem-mcp para uma versão posterior à 3.5.1.

**Name of the Vulnerable Software and Affected Versions** raine consult-llm-mcp versions through 2.5.3 **Description** A flaw exists in the `child process.execSync` function within the `src/server.ts` file. Manipulation of the `git diff.base ref`/`git diff.files` argument can lead to operating system command injection. This issue is only exploitable with local access. The exploit is publicly available. **Recommendations** Upgrade to version 2.5.4 to address this issue.

**Name of the Vulnerable Software and Affected Versions** DeDeveloper23 codebase-mcp up to 3ec749d237dd8eabbeef48657cf917275792fde6 **Description** A flaw exists in the `getCodebase`/`getRemoteCodebase`/`saveCodebase` functions within the `src/tools/codebase.ts` file of the RepoMix Command Handler component. This issue allows for operating system command injection. The attack requires local access. The exploit is publicly available. The product utilizes a rolling release model, making specific version information for updates unavailable. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** kazuph mcp-docs-rag versions up to 0.5.0 **Description** A flaw exists in the `cloneRepository` function within the `src/index.ts` file of the `add git repository/add text file` component. This issue allows for operating system command injection, requiring local access for exploitation. The project maintainers were notified of the issue but have not yet responded. The exploit is publicly available. **Recommendations** Versions prior to 0.5.1 should be updated. As a temporary workaround, consider restricting access to the `cloneRepository` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** sigmade Git-MCP-Server versions prior to 785aa159f262a02d5791a5d8a8e13c507ac42880 **Description** A flaw exists in sigmade Git-MCP-Server due to an os command injection within the `child process.exec` function located in the `src/gitUtils.ts` file, specifically within the `show file diff` component. The issue is triggered through local exploitation. The exploit has been publicly disclosed. **Recommendations** Apply a patch to correct this issue.

**Name of the Vulnerable Software and Affected Versions** bazinga012 mcp code executor versions up to 0.3.0 **Description** A flaw exists in the `installDependencies` function within the `src/index.ts` file that could allow for command injection. This issue is exploitable only within a local environment and a public exploit is available. The project maintainers were notified of the issue but have not yet responded. **Recommendations** Apply a patch to resolve this issue. As a temporary workaround, consider restricting access to the `installDependencies` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** hypermodel-labs mcp-server-auto-commit version 1.0.0 **Description** A command injection issue exists in the `getGitChanges` function within the `index.ts` file. This manipulation allows for local execution of commands. The exploit has been publicly disclosed. **Recommendations** Apply patch f7d992c830c5f2ec5749852e66c0195e3ed7fe30 to resolve this issue.

**Name of the Vulnerable Software and Affected Versions** AvinashBole quip-mcp-server version 1.0.0 **Description** A flaw exists in AvinashBole quip-mcp-server that allows for command injection. The issue is located within the `setupToolHandlers` function in the `src/index.ts` file. This manipulation can be performed remotely. The exploit for this issue has been publicly disclosed. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** 0xKoda WireMCP versions up to 7f45f8b2b4adeb76be8c6227eefb38533fdd6b1e **Description** A flaw exists in 0xKoda WireMCP that allows for operating system command injection. The issue resides in the `server.tool` function within the `index.js` file of the Tshark CLI Command Handler component. Manipulation of this function can lead to the execution of arbitrary commands on the system. The attack requires local access. The exploit for this issue has been publicly released. The product employs a rolling release system, meaning version information for affected or updated releases is not publicly available. The project maintainers were notified of the issue but have not yet responded. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** RyuzakiShinji biome-mcp-server versions up to 1.0.0 **Description** A security flaw exists in RyuzakiShinji biome-mcp-server up to version 1.0.0, related to an unknown functionality within the `biome-mcp-server.ts` file. A manipulation of this functionality can lead to command injection, and the attack can be initiated remotely. The exploit has been publicly released. **Recommendations** Apply patch 335e1727147efeef011f1ff8b05dd751d8a660be.

**Nome do Software Vulnerável e Versões Afetadas** PhialsBasement nmap-mcp-server versões até bee6d23547d57ae02460022f7c78ac0893092e38 **Descrição** Existe um problema de injeção de comando na função `child process.exec` dentro do componente Nmap CLI Command Handler, localizado no arquivo `src/index.ts`. Esta manipulação pode ser realizada remotamente. O produto utiliza um sistema de rolling release, e informações específicas de versão para lançamentos afetados ou atualizados não são divulgadas. **Recomendações** Aplique o patch 30a6b9e1c7fa6146f51e28d6ab83a2568d9a3488 para resolver este problema.