pskill9 website-downloader Command Injection Vulnerability

A command injection vulnerability has been identified in pskill9 website-downloader versions through 0.1.0. The issue resides in the MCP interface's download_website function within src/index.ts. The vulnerability allows remote attackers to inject operating system commands by manipulating the outputPath argument, which is not properly sanitized before being executed. This flaw could lead to arbitrary command execution with the privileges of the server process, potentially compromising the entire host.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the server, with the executed commands running under the same privileges as the MCP server process. This could result in a complete compromise of the host, including unauthorized access to sensitive data, modification of files or application states, and disruption of services.

Reproduction

To reproduce this vulnerability, upload the website-downloader tool to an MCP server and ensure that 'wget' is installed and accessible. Then, use the MCP 'download_website' tool, injecting a command such as 'id' through the outputPath argument. The response will include the result of the injected command, confirming successful exploitation.

Remediation

No fixed version is available at this time. As a temporary measure, do not expose the MCP server to untrusted clients, restrict access to the 'download_website' tool to trusted local users, and run the MCP server with a dedicated low-privilege OS account. Once a patch is available, publish a security advisory.