Command Injection in install_dependencies tool due to unsafe use of child_process.exec #17
Description
Summary
The MCP server mcp_code_executor is vulnerable to command injection due to unsafe use of child_process.exec with user-controlled input in the install_dependencies tool.
Affected Versions
<= 0.3.0
Vulnerable Code
https://github.com/bazinga012/mcp_code_executor/blob/master/src/index.ts#L314-L359
Details
The MCP tool install_dependencies constructs a command string using user-supplied parameter packages, and executes it via child_process.exec. Because exec invokes commands through a system shell, specially crafted input containing shell metacharacters (such as ;, &, or |) may be interpreted as additional commands rather than treated as data.
For example, an attacker may supply a malicious value in packages to inject arbitrary shell commands, which are then executed with the privileges of the MCP server process.
The vulnerability results from shell-based command execution combined with direct interpolation of untrusted user input. In MCP environments, LLM-generated tool parameters influenced by external content may trigger execution of injected commands without direct local user interaction.
Impact
Successful exploitation allows attackers to execute arbitrary commands on the server hosting the MCP service. This may allow attackers to execute commands, access sensitive data, or modify the host environment depending on the privileges of the MCP server.
Recommendation
- Don't use exec. Use execFile instead, which pins the command and provides the arguments as array elements.
- Apply strict input validation to all tool parameters exposed to MCP clients, especially the packages parameter.
- Use parameter separation with proper escaping to prevent shell command injection.
PoC
See the attached files:
mcp_code_executor_bug.pdf