Executive Summary



This vulnerability is currently undergoing analysis and not all information is available. Please check back soon to view the completed vulnerability summary
Informations
Name CVE-2025-54073 First vendor Publication 2025-07-18
Vendor Cve Last vendor Modification 2025-07-18

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector :
Cvss Base Score N/A Attack Range N/A
Cvss Impact Score N/A Attack Complexity N/A
Cvss Expoit Score N/A Authentication N/A
Calculate full CVSS 2.0 Vectors scores

Detail

mcp-package-docs is an MCP (Model Context Protocol) server that provides LLMs with efficient access to package documentation across multiple programming languages and language server protocol (LSP) capabilities. A command injection vulnerability exists in the `mcp-package-docs` MCP Server prior to the fix in commit cb4ad49615275379fd6f2f1cf1ec4731eec56eb9. The vulnerability is caused by the unsanitized use of input parameters within a call to `child_process.exec`, enabling an attacker to inject arbitrary system commands. Successful exploitation can lead to remote code execution under the server process's privileges. The server constructs and executes shell commands using unvalidated user input directly within command-line strings. This introduces the possibility of shell metacharacter injection (`|`, `>`, `&&`, etc.). Commit cb4ad49615275379fd6f2f1cf1ec4731eec56eb9 in version 0.1.27 contains a fix for the issue, but upgrading to 0.1.28 is recommended.

Original Source

Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-54073

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-77 Improper Sanitization of Special Elements used in a Command ('Command Injection')

Sources (Detail)

https://equixly.com/blog/2025/03/29/mcp-server-new-security-nightmare
https://github.com/advisories/GHSA-3q26-f695-pp76
https://github.com/advisories/GHSA-5w57-2ccq-8w95
https://github.com/advisories/GHSA-gjv4-ghm7-q58q
https://github.com/sammcj/mcp-package-docs/commit/cb4ad49615275379fd6f2f1cf1e...
https://github.com/sammcj/mcp-package-docs/releases/tag/v0.1.27
https://github.com/sammcj/mcp-package-docs/releases/tag/v0.1.28
https://github.com/sammcj/mcp-package-docs/security/advisories/GHSA-vf9j-h32g...
https://invariantlabs.ai/blog/mcp-github-vulnerability
Source Url

Alert History

If you want to see full details history, please login or register.
0
Date Informations
2025-07-18 21:20:36
  • First insertion