Miggo Logo
Miggo Vulnerability Database
CVE-2025-53818

CVE-2025-53818:
GitHub Kanban MCP Server vulnerable to Command Injection

N/A

CVSS Score

Basic Information

CVE ID
CVE-2025-53818
GHSA ID
GHSA-6jx8-rcjx-vmwf
EPSS Score
0.55456%
CWE
CWE-78
Published
7/15/2025
Updated
7/15/2025
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
-
Package NameEcosystemVulnerable VersionsFirst Patched Version
@sunwood-ai-labs/github-kanban-mcp-servernpm<= 0.3.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability analysis identified a critical command injection flaw in the @sunwood-ai-labs/github-kanban-mcp-server package, specifically in versions up to and including 0.3.0. The root cause is the insecure use of the exec function (wrapped in execAsync) within the handleAddComment function located in src/handlers/comment-handlers.ts.

The data flow begins in the handleToolRequest function, which acts as a router for different tools. When the add_comment tool is invoked, handleToolRequest extracts parameters from the request, including issue_number. This user-controllable issue_number is then passed to the handleAddComment function.

Inside handleAddComment, the issue_number is directly concatenated into a string that is executed as a shell command. This allows an attacker to inject arbitrary shell commands by crafting a malicious issue_number payload (e.g., 123; malicious_command). The application fails to sanitize or use safer alternatives like execFile, which would treat arguments as data rather than executable code.

Although the official advisory states there is no patched version, an analysis of the repository's tags and commits between the last vulnerable version (v0.3.0) and the next release (v0.4.0) indicates that the issue was addressed. The refactoring in version v0.4.0 appears to have removed the vulnerable execAsync call as part of a larger code change, even though it wasn't explicitly marked as a security fix. Therefore, any environment running version 0.3.0 or older is exposed to this high-severity remote command execution vulnerability.

Vulnerable functions

handleAddComment
src/handlers/comment-handlers.ts
The function `handleAddComment` is vulnerable to OS command injection. It constructs a command string for the `gh` CLI tool and executes it using `execAsync`. The `args.issue_number` parameter, which can be controlled by the user, is directly embedded into the command string without any sanitization or escaping. An attacker can provide a malicious string for `issue_number` (e.g., `123; rm -rf /`) to execute arbitrary commands on the server where the MCP server is running.
handleToolRequest
src/handlers/tool-handlers.ts
This function is the entry point for tool execution. It receives the raw request and, for the 'add_comment' tool, extracts the `issue_number` argument. It then calls the `handleAddComment` function with this user-provided data, initiating the vulnerable flow. While the vulnerability is executed within `handleAddComment`, `handleToolRequest` is a critical part of the attack chain as it processes the malicious input.

WAF Protection Rules

WAF Rule

T** M*P S*rv*r *t *ttps://*it*u*.*om/Sunwoo*-*i-l**s/*it*u*-k*n**n-m*p-s*rv*r/ is writt*n in * w*y t**t is vuln*r**l* to *omm*n* inj**tion vuln*r**ility *tt**ks *s p*rt o* som* o* its M*P S*rv*r tool ***inition *n* impl*m*nt*tion. ## Vuln*r**l* tool

Reasoning

T** vuln*r**ility *n*lysis i**nti*i** * *riti**l *omm*n* inj**tion *l*w in t** `@sunwoo*-*i-l**s/*it*u*-k*n**n-m*p-s*rv*r` p**k***, sp**i*i**lly in v*rsions up to *n* in*lu*in* `*.*.*`. T** root **us* is t** ins**ur* us* o* t** `*x**` *un*tion (wr*pp