Elgentos Magento2-Dev-Mcp Command Injection Vulnerability

A command injection vulnerability exists in Elgentos Magento2-Dev-Mcp versions through 1.0.2. The issue arises in the 'executeMagerun2Command' function within 'src/index.ts', where user-controlled input is improperly sanitized before being executed as a command. This vulnerability can be exploited locally, with the injected commands running under the same privileges as the MCP server process.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the server hosting the MCP service, potentially leading to unauthorized access, data manipulation, or changes to the server environment, depending on the privileges of the MCP server process.

Reproduction

To reproduce this vulnerability, first ensure that 'n98-magerun2' is installed and accessible in the system path. Then, upload a malicious payload using the 'cache-view' tool of the 'magento2-dev-mcp' MCP server. The injected command will be executed with the same privileges as the MCP server process.

Remediation

A patch for this vulnerability has been applied and is available in the 'elgentos/magento2-dev-mcp' repository.