MCP Package Docs Command Injection Vulnerability Allowing Remote Code Execution

A command injection vulnerability has been identified in the MCP Package Docs server, which is an MCP (Model Context Protocol) server that facilitates access to package documentation for large language models (LLMs). The vulnerability exists in versions prior to 0.1.27 and arises from the unsanitized use of input parameters in a call to 'child_process.exec'. This flaw enables attackers to inject arbitrary system commands, potentially leading to remote code execution under the server process's privileges. The issue is exacerbated by the server's construction and execution of shell commands using unvalidated user input, allowing for the injection of shell metacharacters. The vulnerability can be exploited through indirect prompt injection, where an MCP client is manipulated into executing malicious commands.

Impact

Exploitation of this vulnerability allows for command injection, leading to remote code execution on the server where the MCP Package Docs is running.

Reproduction

The vulnerability can be reproduced by sending a crafted prompt to the MCP Package Docs server that exploits the command injection flaw. This can be done by injecting shell metacharacters into the 'notification_info' dictionary of a Git commit message, which is then processed by the MCP server's 'git_add' or 'git_init' tools. The injected commands are executed on the server, bypassing any security controls.

Remediation

Users are advised to upgrade to version 0.1.28, where this vulnerability has been patched.