Godot MCP Command Injection Vulnerability Allowing Remote Code Execution

A command injection vulnerability has been identified in Godot MCP, a Model Context Protocol server for the Godot game engine, prior to version 0.1.1. The vulnerability allows remote code execution by injecting shell metacharacters into user-controlled input that is passed directly to a shell-executing function. This issue affects any tool that accepts the 'projectPath' input, including 'create_scene', 'add_node', and 'load_sprite'.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the server where Godot MCP is running, with the same privileges as the MCP server process.

Reproduction

The vulnerability can be reproduced by using the Godot MCP Inspector tool to invoke a command that includes injected shell metacharacters in the 'projectPath' parameter. This can be done by selecting a vulnerable tool, such as 'create_scene', and entering a crafted 'projectPath' that exploits the command injection flaw. The injection can be verified by checking for the execution of the injected command, such as creating a file in the '/tmp' directory.

Remediation

Users are advised to upgrade to Godot MCP version 0.1.1 or later, where this vulnerability has been fixed by changing the command execution method to one that does not involve shell interpretation.