Summary

The MCPScanner class contains a critical Command Injection vulnerability in the cloneRepo method. The application passes the user-supplied githubUrl argument directly to a system shell via execSync without sanitization. This allows an attacker to execute arbitrary commands on the host machine by appending shell metacharacters to the URL.

Details

The vulnerability exists in the src/scanner/MCPScanner.ts file within the cloneRepo method.

https://github.com/kapilduraphe/mcp-watch/blob/0fca7228bd313ae5aa938d61311377e88ce6e682/src/scanner/McpScanner.ts#L181

The code uses child_process.execSync to execute a git clone command:

Because execSync spawns a shell (defaulting to /bin/sh on Unix or cmd.exe on Windows), any shell metacharacters present in the url argument will be interpreted by the shell. The application does not validate that the url is a valid Git URL, nor does it sanitize input for shell metacharacters.

PoC

Install the package or clone the repository.

Run the scanner using the CLI (or invoke scanRepository programmatically).

Provide a malicious URL containing a command separator (e.g., ;, &, or |) and a system command. payload : npm run scan:github "https://github.com/kapilduraphe/mcp-watch & calc.exe"

Impact

Severity: Critical

CVSS Score: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) Description: This vulnerability allows an attacker to execute arbitrary code on the machine running the scanner.

If run by a developer locally, it compromises their workstation.

If deployed as a hosted scanning service, it grants the attacker full control over the server (RCE), leading to potential data exfiltration, service disruption, or further lateral movement within the infrastructure.