MCP Watch Command Injection Vulnerability Allowing Remote Code Execution

A critical command injection vulnerability has been identified in MCP Watch version 0.1.2 and earlier. The issue resides in the MCPScanner class, specifically within the cloneRepo method. The vulnerability arises because the application directly passes the user-supplied githubUrl argument to a system shell via execSync, without any sanitization. This oversight enables attackers to execute arbitrary commands on the host machine by appending shell metacharacters to the URL.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the machine running the scanner. This poses a critical risk if the scanner is deployed as a web service or in a continuous integration pipeline, as it would grant an attacker full control over the server. In such cases, the attacker could exfiltrate data, disrupt services, or move laterally within the infrastructure. Even when run locally, the vulnerability could be exploited by copying and pasting a malicious URL into the scanner.

Reproduction

To reproduce this vulnerability, install the MCP Watch package or clone the repository. Then, run the scanner using the command line interface (CLI) or invoke the scanRepository function programmatically. Provide a malicious URL that includes a command separator, such as a semicolon, ampersand, or pipe, along with a system command. For example, the payload could be a GitHub URL appended with a command to open a calculator application on Windows.

Remediation

Users can update to MCP Watch version 0.1.3, where this vulnerability has been patched.