P0Lestar

**Name of the Vulnerable Software and Affected Versions** baryhuang/mcp-server-aws-resources-python version 0.1.0 **Description** A code injection issue exists due to insufficient input validation in the `execute query` method. This allows for remote code execution by exposing dangerous Python built-in functions (` import `, `getattr`, `hasattr`) in the execution namespace and directly using `exec()` to execute user-supplied code. An attacker can craft malicious queries to execute arbitrary Python code, potentially leading to AWS credential theft (`AWS ACCESS KEY ID`, `AWS SECRET ACCESS KEY`), file system access, and environment variable disclosure. This can result in system compromise and unauthorized access to sensitive AWS resources. **Recommendations** Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, consider restricting access to the `execute query` function until a patch is available.