CVE-2025-53832

Name of the Vulnerable Software and Affected Versions @translated/lara-mcp versions 0.0.11 and below

Description A command injection vulnerability exists in the @translated/lara-mcp MCP Server due to the unsanitized use of input parameters within a call to child process.exec. Successful exploitation can lead to remote code execution under the server process's privileges. The server constructs and executes shell commands using unvalidated user input, introducing the possibility of shell metacharacter injection. An attacker can leverage this vulnerability through indirect prompt injection by crafting malicious input within files or remote data sources processed by the server. This allows for arbitrary command execution on the host machine.

Recommendations @translated/lara-mcp versions prior to 0.0.12: Avoid using child process.exec with untrusted input. Instead, use a safer API such as child process.execFile, which allows you to pass arguments as a separate array, avoiding shell interpretation entirely. As an example, replace execAsync(curl -L "${tmx url}" -o "${tempFilePath}"); with execAsync("curl", "-L", tmx url, "-o", tempFilePath);.