ChrisChinchilla Vale-MCP HTTP index.ts os command injection

A vulnerability was found in ChrisChinchilla Vale-MCP up to 0.1.0. Affected by this vulnerability is an unknown functionality of the file src/index.ts of the component HTTP Interface. The manipulation of the argument config_path results in os command injection. Attacking locally is a requirement. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

OS命令中使用的特殊元素转义处理不恰当(OS命令注入)

Vale MCP Server 操作系统命令注入漏洞

Vale MCP Server是Chris Chinchilla个人开发者的一个集成语法检查功能的AI助手协议服务器。 Vale MCP Server 0.1.0及之前版本存在操作系统命令注入漏洞，该漏洞源于对文件src/index.ts中参数config_path的操作不当，可能导致os命令注入。

N/A

N/A