Miggo Logo
Miggo Vulnerability Database
CVE-2025-10619

CVE-2025-10619: @sequa-ai/sequa-mcp has Command Injection vulnerability

6.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2025-10619
GHSA ID
GHSA-9pw5-wx67-q964
EPSS Score
0.75214%
CWE
CWE-77
Published
9/17/2025
Updated
9/18/2025
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
@sequa-ai/sequa-mcpnpm< 1.0.141.0.14

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The security vulnerability is a classic command injection flaw located in the redirectToAuthorization method of the NodeOauthClientProvider class. The root cause is the improper use of the open library, which is capable of executing shell commands in addition to opening URLs. The original code passed the authorizationUrl parameter, which can be controlled by a remote user, directly to the open function without any validation. This allows an attacker to submit a crafted string that is not a URL but a valid shell command, which the open library then executes. The provided patch confirms this analysis by introducing a check that explicitly validates the authorizationUrl to ensure it is a web URL (starts with 'http://' or 'https://') before it is passed to the open function. This remediation prevents the command injection vector by restricting the function's behavior to its intended purpose of opening web pages.

Vulnerable functions

NodeOauthClientProvider.redirectToAuthorization
src/helpers/node-oauth-client-provider.ts
The `redirectToAuthorization` function is vulnerable to command injection. It uses the `open` library to handle a URL provided in the `authorizationUrl` parameter. The vulnerability arises because the input `authorizationUrl` is not sanitized or validated before being passed to `open`. The `open` library can execute system commands if the provided string is not a valid URL. An attacker can craft a malicious string that will be interpreted as a command, leading to arbitrary command execution on the system where the MCP server is running. The patch addresses this by adding a validation step to ensure that the `authorizationUrl` starts with 'http://' or 'https://', thus restricting its use to web URLs only.

WAF Protection Rules

WAF Rule

* vuln*r**ility w*s **t**t** in s*qu*-*i s*qu*-m*p up to *.*.**. T*is *****ts t** *un*tion r**ir**tTo*ut*oriz*tion o* t** *il* sr*/**lp*rs/no**-o*ut*-*li*nt-provi**r.ts o* t** *ompon*nt O*ut* S*rv*r *is*ov*ry. P*r*ormin* m*nipul*tion r*sults in os *o

Reasoning

T** s**urity vuln*r**ility is * *l*ssi* *omm*n* inj**tion *l*w lo**t** in t** `r**ir**tTo*ut*oriz*tion` m*t*o* o* t** `No**O*ut**li*ntProvi**r` *l*ss. T** root **us* is t** improp*r us* o* t** `op*n` li*r*ry, w*i** is **p**l* o* *x**utin* s**ll *omm*