sf-mcp-server Command Injection Vulnerability in Query Records Tool

A command injection vulnerability has been identified in sf-mcp-server, an implementation of Salesforce MCP server for Claude for Desktop. The issue arises from the unsafe use of child_process.exec, which allows user-controlled input to be injected into Salesforce CLI commands. This vulnerability enables attackers to execute arbitrary shell commands with the privileges of the MCP server process.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the server where the MCP service is running, potentially leading to unauthorized access to data or modification of the host environment, depending on the privileges of the MCP server.

Reproduction

To reproduce this vulnerability, start the MCP server by installing the necessary packages and building the project. Then, open the MCP Inspector and connect to the server. Navigate to the Tools tab, select the query_records tool, and input a crafted value in the targetOrg field that includes shell metacharacters, such as 'playground_org&whoami > poc.txt&'. When the tool is run, the injected command will be executed, and the output can be verified by checking for the existence of the 'poc.txt' file, which will contain the result of the executed command.

Remediation

Users can update to version 1.0.3 of sf-mcp-server, which addresses the command injection vulnerability by replacing child_process.exec with execFile, using parameter arrays instead of string concatenation, and maintaining existing functionality.