r-huijts MCP Server Rijksmuseum Command Injection Vulnerability

A command injection vulnerability has been identified in r-huijts mcp-server-rijksmuseum versions prior to 1.0.4. The issue arises in the 'open_image_in_browser' function within 'src/index.ts', where user-supplied 'imageUrl' arguments are inadequately validated before being passed to a shell command execution function. This flaw allows remote attackers to inject shell metacharacters, executing arbitrary operating system commands with the privileges of the server process. The vulnerability could lead to a complete compromise of the host, including unauthorized data access, modification, and disruption of services.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the server, with commands running under the privileges of the MCP server process. This could result in a full compromise of the host, including unauthorized access to files and environment variables, modification of files or application state, and disruption of services by terminating processes, deleting files, or consuming system resources.

Reproduction

To reproduce this vulnerability, send a request to the 'tools/call' method, invoking the 'open_image_in_browser' tool. Include a crafted 'imageUrl' parameter that contains injected shell commands, such as '; id 1>&2; exit 1; #'. The injection can be verified by checking the response for output from the executed command, such as the result of the 'id' command.

Remediation

Users are advised to update to the latest version of 'mcp-server-rijksmuseum' once a patch is available. Until then, do not expose the MCP server to untrusted clients, restrict access to the 'open_image_in_browser' tool to trusted local users, disable browser-opening functionality in untrusted deployments, and run the MCP server with a dedicated low-privilege OS account.