CVE-2025-11285

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-11285

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-11285.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-11285

Aliases

GHSA-5q2p-3jg8-2m98

Published

2025-10-05T06:15:32.640Z

Modified

2026-03-14T15:03:40.942778Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

A vulnerability was found in samanhappy MCPHub up to 0.9.10. Affected by this issue is some unknown functionality of the file src/controllers/serverController.ts. The manipulation of the argument command/args results in os command injection. The attack can be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

References

Affected packages

Git / github.com/samanhappy/mcphub

Affected ranges

Type

GIT

Repo

https://github.com/samanhappy/mcphub

Events

Introduced

Last affected

7685b9bca8ceb8e3526988b135165c0733107de9

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "0.9.10"
        }
    ]
}

Affected versions

v0.*

v0.1.0

v0.1.1

v0.2.0

v0.3.0

v0.3.1

v0.3.2

v0.3.3

v0.3.4

v0.3.5

v0.3.6

v0.3.7

v0.3.8

v0.4.0

v0.4.1

v0.4.2

v0.4.3

v0.5.0

v0.5.1

v0.5.2

v0.5.3

v0.5.4

v0.6.0

v0.6.1

v0.6.2

v0.7.0

v0.7.1

v0.7.2

v0.7.3

v0.7.4

v0.7.5

v0.7.6

v0.7.7

v0.8.0

v0.8.1

v0.8.2

v0.8.3

v0.8.4

v0.8.5

v0.8.6

v0.8.7

v0.9.0

v0.9.1

v0.9.10

v0.9.2

v0.9.3

v0.9.4

v0.9.5

v0.9.6

v0.9.7

v0.9.8

v0.9.9

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-11285.json"