PT-2026-46845 — Stata-Mcp

PT-2026-46845 · Pypi · Stata-Mcp

Published

2026-06-04

Updated

2026-06-04

CVSS v4.0

9.3

Critical

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Summary

The log file name parameter in the stata do API and CLI is directly interpolated into a Stata command string without sanitization. The security guard (GuardValidator) only scans the do-file content but does not validate this parameter. An attacker can inject arbitrary Stata commands (including shell, python, erase, etc.) by crafting a malicious log file name containing quotes, newlines, or Stata command separators.

Details

In src/stata mcp/stata/stata do/do.py, both execute unix like and execute windows construct a Stata command string using Python f-strings:

commands = f"""
capture log close
{self.generate log command(log file, is replace)}
...
do "{dofile path}"
...
"""

The generate log command method returns:

log cmd = f'log using "{log file.as posix()}", {replace clause} {log type} name({log type} log)'

Where log file is constructed from user-supplied log name:

def generate log file(self, log name: str, extension='log'):
  return self.log file path / f"{log name}.{extension}"

The log name parameter comes directly from user input (via MCP tool stata do or CLI stata-mcp tool do) without any validation. Since the path is embedded inside double quotes in a Stata command string, an attacker can break out of the string context and inject arbitrary commands.

Additionally, generate log file does not prevent path traversal via log name, allowing arbitrary file write outside the intended log directory.

Proof of Concept

When calling stata do via MCP tool with:

{
 "dofile path": "test.do",
 "log file name": "'; shell echo pwned > /tmp/pwned.txt; '"
}

The generated Stata commands become:

log using "<log dir>/'; shell echo pwned > /tmp/pwned.txt; '.log", replace text name(text log)

Stata interprets this as multiple commands, with shell echo pwned > /tmp/pwned.txt; executed as an arbitrary shell command.

Impact

Remote Code Execution via shell command injection
Arbitrary file write/overwrite via path traversal in log name
Complete bypass of the security guard, as the guard only validates do-file content, not wrapper parameters

Remediation / Fix

Apply strict allowlist validation to log name (only alphanumeric, underscore, dot, hyphen; max 128 chars)
Resolve and verify the constructed log path remains within the intended log directory
Consider generating safe internal filenames (e.g., UUIDs) instead of accepting user-defined log names for command construction
Apply similar sanitization to dofile path before embedding it into Stata command strings

References

Issue: #74
Fix commit: https://github.com/SepineTam/stata-mcp/commit/e6f945941ae0c7cf5e74a428e0b3dc82b396382f

Fix

Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-77

Related Identifiers

GHSA-4P62-HQP5-G644

Affected Products

Stata-Mcp