Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Godot MCP is vulnerable to Command Injection via unsanitized projectPath
Vulnerability Description
Godot MCP is a Model Context Protocol (MCP) server for interacting with the Godot game engine. Prior to version 0.1.1, a command injection vulnerability in godot-mcp allows remote code execution. The executeOperation function passed user-controlled input (e.g., projectPath) directly to exec(), which spawns a shell. An attacker could inject shell metacharacters like $(command) or &calc to execute arbitrary commands with the privileges of the MCP server process. This affects any tool that accepts projectPath, including create_scene, add_node, load_sprite, and others. This issue has been patched in version 0.1.1.
CVSS Information
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Vulnerability Type
OS命令中使用的特殊元素转义处理不恰当(OS命令注入)
Vulnerability Title
Godot MCP 操作系统命令注入漏洞
Vulnerability Description
Godot MCP是Solomon Elias个人开发者的一个用于与Godot游戏引擎接口的MCP服务器。 Godot MCP 0.1.1之前版本存在操作系统命令注入漏洞,该漏洞源于executeOperation函数将用户控制的输入直接传递给exec函数,可能导致命令注入和远程代码执行。
CVSS Information
N/A
Vulnerability Type
N/A