samanhappy MCPHub Command Injection Vulnerability in Server Controller
Vulnerability
A remote code execution vulnerability has been identified in samanhappy MCPHub versions through 0.9.10. The issue resides in the serverController.ts file, where the createServer API endpoint accepts unvalidated command and argument inputs from the server configuration. This lack of input sanitization allows users to execute arbitrary operating system commands on the host server.
Impact
Exploitation of this vulnerability allows for arbitrary command execution on the server, with the executed commands running in the context of the server process.
Reproduction
To reproduce this vulnerability, send a POST request to the '/api/servers' endpoint with an 'x-auth-token' header. The request body must include a 'name' and a 'config' object. The 'config' object should specify 'type' as 'stdio' and include a 'command' and 'args' fields. The 'args' field can be used to pass additional arguments to the command, enabling the execution of arbitrary commands on the server.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.