Raine Consult-LLM-MCP Command Injection Vulnerability in Git Diff Handling

A command injection vulnerability exists in Raine Consult-LLM-MCP versions through 2.5.3. The issue arises in the 'consult_llm' tool, where user-controlled input in the 'git_diff.base_ref' and 'git_diff.files' parameters is improperly sanitized. This allows for the injection of arbitrary commands, executed with the same privileges as the MCP server process. The vulnerability is triggered by exploiting the 'child_process.execSync' function in 'src/server.ts', which executes commands through a system shell, interpreting special characters as command modifiers. The flaw has been addressed in version 2.5.4, which rewrites the git command handling to use Rust's 'std::process::Command', eliminating the risk of injection by avoiding shell interpretation.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the server where the MCP service is running, potentially leading to unauthorized access, data manipulation, or changes to the server environment, depending on the privileges of the MCP server process.

Reproduction

To reproduce this vulnerability, upload a file named 'poc.txt' to the 'src' directory of a 'consult-llm-mcp' project. Then, use the 'consult_llm' tool with the 'git_diff.base_ref' parameter set to 'HEAD&whoami > poc.txt&', and the 'git_diff.files' parameter set to 'file.ts'. When the tool is executed, the injected command will be executed, and the 'poc.txt' file will be created in the 'src' directory, containing the output of the 'whoami' command.

Remediation

Upgrade to Raine Consult-LLM-MCP version 2.5.4 or later, which addresses the command injection vulnerability by using a safer method for executing commands that does not involve shell interpretation.