Sunwood-ai-labs Command-Executor-MCP-Server OS Command Injection Vulnerability

A command injection vulnerability has been identified in Sunwood-ai-labs command-executor-mcp-server versions through 0.1.0. The issue resides in the execute_command function within src/index.ts, part of the MCP Interface component. The vulnerability allows remote exploitation by bypassing the command allowlist validation, enabling attackers to execute arbitrary commands on the host operating system.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the host system, potentially leading to a full compromise of the affected machine.

Reproduction

To reproduce this vulnerability, upload the server and connect with the MCP Inspector or another MCP client. Then, invoke the execute_command tool with a payload that includes an allowed command followed by shell metacharacters and an additional command, such as 'ls /no_such_path ; id'. The appended command will be executed on the server, demonstrating the command injection vulnerability.

Remediation

No fixed version is available at the time of reporting. However, it is recommended to restrict the allowed command list to the minimum necessary and run the MCP server under a dedicated low-privilege account in an isolated working directory.