A critical command injection vulnerability has been identified in the MCP Watch security scanner. This flaw allows an unauthenticated attacker to execute arbitrary commands on the underlying server by sending a maliciously crafted URL. Successful exploitation could result in a complete system compromise, leading to data theft, service disruption, or further network intrusion.

The vulnerability exists within the cloneRepo method of the MCPScanner class. The application accepts a user-provided URL, githubUrl, and passes it directly to a system shell command (execSync) without proper input sanitization or validation. An attacker can exploit this by appending shell metacharacters (e.g., ;, |, &&, $(command)) to the URL, which allows them to inject and execute arbitrary commands with the privileges of the running application.

This vulnerability is rated as critical severity with a CVSS score of 9.8, reflecting the ease of exploitation and the potential for severe impact. A successful attack grants the adversary remote code execution (RCE) on the host machine, effectively giving them full control. This could lead to the theft of sensitive data, deployment of ransomware, complete disruption of services running on the server, or the use of the compromised system as a pivot point to attack other internal network resources.

Immediate Action: Update MCP Watch is a comprehensive security scanner for Model Context Protocol Multiple Products to the latest version. The vendor has released a patch that addresses this vulnerability by properly sanitizing the user-supplied URL before it is passed to the system shell. After patching, monitor for any signs of exploitation attempts and review historical access logs for indicators of compromise.

Proactive Monitoring: Security teams should monitor application and system logs for any requests to the cloneRepo method containing unusual URL formats or shell metacharacters (e.g., ;, |, &, $, (, )). Monitor for unexpected outbound network connections or processes being spawned by the MCP Watch application, such as sh, bash, curl, wget, or nc.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) rule to block requests containing common shell metacharacters in the githubUrl parameter. Additionally, ensure the MCP Watch application is running with the lowest possible user privileges to limit the potential damage of a successful exploit.

Public Exploit Available: false

Due to the critical CVSS score of 9.8 and the risk of unauthenticated remote code execution, this vulnerability poses a significant threat to the organization. Although it is not currently listed in the CISA KEV catalog, its severity demands immediate attention. We strongly recommend that all instances of the affected software be patched or taken offline immediately to prevent a potential compromise.