Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
FastMCP has a Command Injection vulnerability - Gemini CLI
Vulnerability Description
FastMCP is the standard framework for building MCP applications. Prior to version 3.2.0, server names containing shell metacharacters (e.g., &) can cause command injection on Windows when passed to fastmcp install claude-code or fastmcp install gemini-cli. These install paths use subprocess.run() with a list argument, but on Windows the target CLIs often resolve to .cmd wrappers that are executed through cmd.exe, which interprets metacharacters in the flattened command string. This issue has been patched in version 3.2.0.
CVSS Information
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
Vulnerability Type
OS命令中使用的特殊元素转义处理不恰当(OS命令注入)
Vulnerability Title
FastMCP 操作系统命令注入漏洞
Vulnerability Description
FastMCP是Jeremiah Lowin个人开发者的一个MCP服务器构建软件。 FastMCP 3.2.0之前版本存在操作系统命令注入漏洞,该漏洞源于包含shell元字符的服务器名称可能导致命令注入,当传递给fastmcp install claude-code或fastmcp install gemini-cli时,在Windows上可能执行任意命令。
CVSS Information
N/A
Vulnerability Type
N/A