LiuMengxuan04 MiniCode
- 0.1.0
A command injection vulnerability has been identified in LiuMengxuan04 MiniCode version 0.1.0. The issue arises in the 'mcp.ts' file, specifically within the 'child_process.spawn' function. This vulnerability allows for remote code execution by injecting malicious commands that are executed in the context of the user's environment. Exploitation of this vulnerability is complex and appears to be challenging, but a proof-of-concept exploit has been published and could be used.
Exploitation of this vulnerability allows for arbitrary command execution on the affected system, potentially leading to unauthorized access or manipulation of system resources.
To reproduce this vulnerability, place a malicious '.mcp.json' file in the root directory of a project. This file can include commands to be executed, such as launching applications like 'calc.exe'. Once the file is in place, clone or download the project and open it with MiniCode. The commands specified in the '.mcp.json' file will be executed automatically, without any user confirmation or permission checks.
A pull request to address this vulnerability has been submitted and is awaiting acceptance.
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.