CVE-2025-52573

Name of the Vulnerable Software and Affected Versions: iOS Simulator MCP Server versions prior to 1.3.3

Description: The issue concerns a command injection vulnerability in the MCP Server tool definition and implementation. The MCP Server exposes the tool ui tap, which relies on the Node.js child process API exec. This API is vulnerable if concatenated with untrusted user input. User input for duration, udid, and x and y args can be replaced with shell meta-characters to change the behavior from running the expected command to another command. When tricked through prompt injection, the full command-line text will be intercepted by the shell, resulting in other commands executing on the host running the MCP Server.

Recommendations: For versions prior to 1.3.3, update to version 1.3.3, which contains a patch for the issue. As a temporary workaround, consider restricting access to the ui tap tool and limiting user input to prevent the use of special shell characters. Avoid using the parameters duration, udid, x, and y in the affected API endpoint until the issue is resolved.