CVE-2025-11490

Name of the Vulnerable Software and Affected Versions wonderwhy-er DesktopCommanderMCP versions up to 0.2.13

Description A flaw exists within the software that allows for operating system command injection. This occurs due to improper handling of commands within the extractBaseCommand function located in the src/command-manager.ts file, specifically within the Absolute Path Handler component. The issue can be triggered remotely. The exploit details have been publicly disclosed. The vendor acknowledges the potential for misuse but has not yet received reports of real-world exploitation.

Recommendations Versions prior to 0.2.13 should be used.