MCPJam Inspector Remote Code Execution Vulnerability

A remote code execution vulnerability has been identified in MCPJam Inspector versions 1.4.2 and earlier. This vulnerability arises because the application listens on all network interfaces by default, making its HTTP APIs accessible from outside the local machine. An attacker can send a crafted HTTP request to the '/api/mcp/connect' endpoint, which is intended for connecting to MCP servers. The request can include commands and arguments that are executed on the server, leading to unauthorized code execution.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where MCPJam Inspector is running.

Reproduction

To reproduce this vulnerability, start MCPJam Inspector version 1.4.2 or earlier. Once the application is running, send an HTTP POST request to the '/api/mcp/connect' endpoint. Include a JSON payload that specifies the command to be executed and any necessary arguments. The application will execute the command on the server, resulting in remote code execution.

Remediation

Users can upgrade to MCPJam Inspector version 1.4.3 or later, where this vulnerability has been patched.