# Vulnerability Report Summary: Command Injection in mcp-server-rijksmuseum ## Vulnerability Overview A command injection vulnerability (CVE-78) was discovered in `mcp-server-rijksmuseum` version 1.0.4. The vulnerability exists in the `open_image_in_browser` tool, which accepts a user-supplied `imageUrl` parameter, performs only basic type checking, and executes an unescaped shell command string via `child_process.exec`. Attackers can inject shell metacharacters (e.g., `; id #`) through the `imageUrl` parameter to execute arbitrary operating system commands with the privileges of the server process, leading to complete host compromise, including data leakage, loss of integrity, and service disruption. ## Scope of Impact - **Affected Version**: 1.0.4 (commit: a9fc2a2b0a1e7097193a59b37ee3a3b6d38b65) - **Affected Components**: - `src/index.ts` - `src/handlers/ToolHandler.ts` - `src/utils/typeguards.ts` - `src/utils/SystemIntegration.ts` - **Security Impact**: - **Confidentiality**: High (Arbitrary command execution can read files and environment variables accessible to the server process) - **Integrity**: High (Arbitrary command execution can modify files or application state accessible to the server process) - **Availability**: High (Arbitrary command execution can terminate processes, delete files, or consume system resources) - **CVSS v3.1 Score**: 7.8 (High) - **CVSS Vector**: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H ## Remediation 1. **Replace `child_process.exec`**: Use `child_process.execFile` or `spawn`, passing arguments as an array with `shell: false`. 2. **Separate Command and URL**: Pass the browser open command and the URL as separate arguments instead of constructing a single shell command string. 3. **Strictly Validate `imageUrl`**: Validate it as a URL and reject embedded quotes, control characters, shell metacharacters, and non-HTTP(S) schemes. 4. **Implement a Whitelist**: If the tool is intended solely for opening Rijksmuseum image URLs, enforce a whitelist of expected Rijksmuseum image hostnames. 5. **Add Regression Tests**: Demonstrate that payloads containing `";`, `|`, `&&`, `|`, backticks, `$()`, and redirection operators cannot execute additional commands. 6. **Publish Maintainer Security Advisory**: Release a maintainer security advisory once the patch is published. ## Proof of Concept (POC) Code ```json { "jsonrpc": "2.0", "id": "1", "method": "tools/call", "params": { "name": "open_image_in_browser", "arguments": { "imageUrl": "http://127.0.0.1:7; id 1>&2; exit 1; #" } } } ``` ## Additional Information - **Discoverer**: BruceZin - **Discovery Method**: Static analysis (CodeQL), repository source code audit, and manual reproduction (using mcp-inspector) - **Audit Conclusion**: Manual reproduction successful; the attacker-controlled MCP `imageUrl` reached the OS command sink and executed the injected shell command. - **Dynamic Exploitation Reproduction Status**: Completed using the injected `id` command; `mcp-inspector` displayed the results of the `id` command. - **Maintainers Should Verify Release Mapping**: Prior to coordinated disclosure.