Disler Aider-MCP-Server Command Injection Vulnerability

A command injection vulnerability has been identified in Disler Aider-MCP-Server version 0.1.0, prior to commit b2516fa. The issue arises in the 'aider_ai_code' component, specifically within the 'src/aider_mcp_server/server.py' file. The vulnerability is triggered by manipulating the 'relative_editable_files' argument, which allows for the injection of shell metacharacters. This exploitation can be executed remotely, with published proof-of-concept available.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the host where the server is running. This could lead to unauthorized access to files, modification of source code, disruption of service, or execution of malicious commands that could harm the system or compromise its integrity.

Reproduction

To reproduce this vulnerability, upload the server in a Git repository. Then, send an MCP request to the 'aider_ai_code' tool, including a payload in the 'relative_editable_files' argument that injects a command, such as 'notes.txt; touch AIDER_CMDI_POC #'. The server will execute the injected command, demonstrating the command injection vulnerability.

Remediation

No official patch is available at this time. It is recommended to avoid exposing the MCP server to untrusted callers until the vulnerability is fixed. If temporary operation is necessary, place the server behind a trusted broker that validates file names against a conservative allowlist.