RestDB Codehooks.io MCP Server Command Injection Vulnerability

A command injection vulnerability has been identified in RestDB's Codehooks.io MCP Server, prior to version 0.2.2. The issue arises in the implementation of certain MCP Server tools, where user input is improperly handled, allowing for remote command execution on the server. The vulnerability is linked to the 'query_collection' tool, which uses Node.js's child process API 'exec' in a risky manner by concatenating commands with untrusted input.

Impact

Exploitation of this vulnerability allows for user-initiated remote command execution on the server running the MCP Server.

Reproduction

To reproduce this vulnerability, use prompt injection techniques to manipulate the 'query_collection' tool into executing commands through the shell. Input special shell characters to inject commands, which will be executed on the host machine.

Remediation

Users are advised to update to version 0.2.2 or later. In addition, avoid using 'exec' for command execution. Instead, use 'execFile', which securely handles commands by treating them as separate arguments. If user input is not a command-line flag, use the '--' notation to indicate that subsequent text is a benign value.