VetCoders mcp-server-semgrep OS Command Injection Vulnerability

A command injection vulnerability has been identified in VetCoders mcp-server-semgrep version 1.0.0. The issue resides in the MCP Interface component, specifically within the 'analyze_results', 'filter_results', 'export_results', 'compare_results', 'scan_directory', and 'create_rule' functions of 'src/index.ts'. The vulnerability allows for arbitrary OS command execution by injecting shell metacharacters into user-controlled arguments, which are then executed with the privileges of the server process.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the server, with potential for full host compromise, including unauthorized data access, modification, and disruption of services.

Reproduction

The vulnerability can be reproduced by uploading a results file through the 'analyze_results' tool that includes injected commands. The 'scan_directory' and 'create_rule' functions can also be used to demonstrate the command injection.

Remediation

Users are advised to upgrade to version 1.0.1, which addresses the vulnerability by removing the command injection vector and adding input validation to reject shell metacharacters.