automagik-genie Command Injection Vulnerability in MCP Server Allowing Remote Code Execution

A command injection vulnerability has been identified in the automagik-genie MCP Server version 2.5.27. This vulnerability allows attackers to execute arbitrary commands on the server where the MCP process is running. The issue arises in the 'readTranscriptFromCommit' function within 'dist/mcp/server.js', specifically when the 'view_task' command is used to read from an external FORGE_BASE_URL. The vulnerability is exploited by injecting malicious data through the Forge API, which is then executed on the server via unsanitized command interpolation.

Impact

Exploitation of this vulnerability leads to remote code execution on the server, allowing attackers to execute arbitrary commands as the user running the MCP server process. This could be used to read sensitive files, access internal network services, or modify the server environment, such as installing backdoors or altering scheduled tasks.

Reproduction

To reproduce this vulnerability, set up a mock Forge server that simulates a malicious backend. This server should return poisoned data that includes shell metacharacters in the 'after_head_commit' field. Then, use the automagik-genie MCP client to call the 'view_task' command, which will trigger the command injection by executing the injected payload on the server.

Remediation

Users are advised to update to the patched version of automagik-genie, if available. If a patch is not yet released, consider removing the MCP server or blocking the 'view_task' command until the vulnerability can be addressed.