Crem

**Name of the Vulnerable Software and Affected Versions** wonderwhy-er DesktopCommanderMCP versions up to 0.2.13 **Description** A security issue has been identified in the `isPathAllowed` function within the `src/tools/filesystem.ts` file of wonderwhy-er DesktopCommanderMCP. This allows for symlink following, potentially leading to unauthorized access or manipulation of files. The attack requires local access and is considered difficult to exploit. The vendor acknowledges that the restriction features are not intended as hardened security boundaries and recommends using Desktop Commander with Docker for enhanced isolation when security is a primary concern. This vulnerability impacts products that are no longer supported by the maintainer. **Recommendations** Versions prior to 0.2.14 are affected. Consider using Desktop Commander with Docker, which provides actual isolation.

**Name of the Vulnerable Software and Affected Versions** wonderwhy-er DesktopCommanderMCP versions up to 0.2.13 **Description** A flaw exists within the software that allows for operating system command injection. This occurs due to improper handling of commands within the `extractBaseCommand` function located in the `src/command-manager.ts` file, specifically within the Absolute Path Handler component. The issue can be triggered remotely. The exploit details have been publicly disclosed. The vendor acknowledges the potential for misuse but has not yet received reports of real-world exploitation. **Recommendations** Versions prior to 0.2.13 should be used.

**Name of the Vulnerable Software and Affected Versions** wonderwhy-er DesktopCommanderMCP versions through 0.2.13 **Description** A flaw exists in the CommandManager function within the src/command-manager.ts file that allows for operating system command injection. This issue can be triggered remotely. The exploit is publicly available. The `CommandManager` function is susceptible to manipulation. **Recommendations** Versions prior to 0.2.13 should be updated. Consider temporarily disabling the `CommandManager` function until a patch is available.