CVE-2025-54994

CVSS v4.0

9.3

Critical

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions: @akoskm/create-mcp-server-stdio versions prior to 0.0.13

Description: The @akoskm/create-mcp-server-stdio package, a MCP server starter kit utilizing the StdioServerTransport, contains a command injection issue in versions prior to 0.0.13. The which-app-on-port tool relies on the Node.js exec function, which is susceptible to command injection when combined with untrusted user input.

Recommendations: Update @akoskm/create-mcp-server-stdio to version 0.0.13 or later.

Exploit

Fix

OS Command Injection

Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78CWE-77

Related Identifiers

CVE-2025-54994

GHSA-3CH2-JXXC-V4XF

Affected Products

@Akoskm/Create-Mcp-Server-Stdio

CVE-2025-54994

Weakness Enumeration

Related Identifiers

Affected Products

References · 13