CVE-2025-54994
- Source
- https://cve.org/CVERecord?id=CVE-2025-54994
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-54994.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-54994
- Aliases
- Published
- 2025-09-08T19:37:42.667Z
- Modified
- 2026-04-02T12:54:22.115502Z
- Severity
-
- 9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- @akoskm/create-mcp-server-stdio has Command Injection in MCP Server due to unsafe `exec` API
- Details
-
@akoskm/create-mcp-server-stdio is an MCP server starter kit that uses the StdioServerTransport. Prior to version 0.0.13, the MCP Server is written in a way that is vulnerable to command injection vulnerability attacks as part of some of its MCP Server tool definition and implementation. The MCP Server exposes the tool
which-app-on-portwhich relies on Node.js child process APIexecwhich is an unsafe and vulnerable API if concatenated with untrusted user input. Version 0.0.13 contains a fix for the issue. - Database specific
{ "cwe_ids": [ "CWE-78" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/54xxx/CVE-2025-54994.json", "cna_assigner": "GitHub_M" }- References
-
- https://github.com/akoskm/create-mcp-server-stdio/blob/main/src/index.ts#L24-L40
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/54xxx/CVE-2025-54994.json
- https://github.com/akoskm/create-mcp-server-stdio/security/advisories/GHSA-3ch2-jxxc-v4xf
- https://nvd.nist.gov/vuln/detail/CVE-2025-54994
- https://github.com/akoskm/create-mcp-server-stdio/commit/48c26bbe1f8c62764e4592f33c8300d1cadd2eac