Roslyn CodeLens MCP Server Untrusted Analyzer Execution Vulnerability Allowing Arbitrary Code Execution

A vulnerability in Roslyn CodeLens MCP Server versions 0.0.9 prior to 1.17.0 allows for untrusted execution of Roslyn analyzers. The 'get_diagnostics' MCP tool automatically loads and executes all referenced 'DiagnosticAnalyzer' assemblies from the target solution without any allowlist, signature verification, or user consent. This flaw enables an attacker to place a malicious project file (.csproj) that references a harmful DLL in a location accessed by the victim using the MCP server. Consequently, this could lead to arbitrary code execution within the server process, utilizing the operating system privileges of the server.

Impact

Exploitation of this vulnerability allows for arbitrary code execution in the MCP server process with the server's operating system privileges. This could result in a full compromise of the host, including unauthorized access to the filesystem, exfiltration of credentials, and installation of persistence mechanisms.

Reproduction

To reproduce this vulnerability, place a malicious DLL in a location accessible to the victim. Create a .csproj file that references this DLL and includes an 'Analyzer' item. When the victim opens the solution with the Roslyn CodeLens MCP server, the 'get_diagnostics' tool will automatically load and execute the malicious analyzer. The execution can be verified by checking for a specific side-effect, such as the creation of a marker file indicating that the malicious code was executed.

Remediation

Update to Roslyn CodeLens MCP Server version 1.17.0 or later. If using an earlier version, disable the automatic loading of analyzers by setting 'includeAnalyzers' to false and manually reviewing any necessary analyzers before loading them.