Kleneway Awesome-Cursor-MPC-Server Command Injection Vulnerability in Code Review Tool

A command injection vulnerability has been identified in Kleneway Awesome-Cursor-MPC-Server versions through 2.0.1. The issue arises in the Code Review Tool, specifically within the runCodeReviewTool function in src/tools/codeReview.ts. The vulnerability allows for remote exploitation by manipulating the folderPath parameter, which is directly concatenated into shell commands and executed using the execSync() function. This unsanitized input can be replaced with shell meta-characters to alter the command execution behavior.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the server where the MCP service is running. The executed commands will depend on the privileges of the MCP server, potentially leading to unauthorized access or modification of the host environment.

Reproduction

To reproduce this vulnerability, upload the proof-of-concept file 'awesome-cursor-mpc-server_bug.pdf' to the GitHub issue #6 of the Kleneway Awesome-Cursor-MPC-Server repository. This file contains detailed reproduction steps, including how to inject commands through the vulnerable Code Review Tool by exploiting the unsanitized folderPath parameter.

Remediation

Users are advised to update to the latest version of Kleneway Awesome-Cursor-MPC-Server, where this vulnerability has been fixed. For those unable to update, a temporary workaround is to manually sanitize the folderPath input before it is used in the runCodeReviewTool function.