{"uuid": "ed56307d-5d28-431d-a155-9b3ae69fdf65", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-v6wj-c83f-v46x", "type": "seen", "source": "https://gist.github.com/alon710/04224a7d95127340316da1f44fdb7a8c", "content": "# GHSA-V6WJ-C83F-V46X: GHSA-v6wj-c83f-v46x: Critical OS Command Injection in @profullstack/mcp-server domain_lookup Module\n\n> **CVSS Score:** 9.8\n> **Published:** 2026-05-09\n> **Full Report:** https://cvereports.com/reports/GHSA-V6WJ-C83F-V46X\n\n## Summary\nA critical unauthenticated OS Command Injection vulnerability (CWE-78) exists in the `@profullstack/mcp-server` npm package, specifically within the `domain_lookup` module. The vulnerability allows remote attackers to execute arbitrary commands on the host system via crafted HTTP requests.\n\n## TL;DR\nThe `@profullstack/mcp-server` package (versions <= 1.4.12) is vulnerable to unauthenticated OS Command Injection. The `domain_lookup` module unsafely concatenates user-supplied input into a shell command, enabling remote code execution.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-78\n- **Attack Vector**: Network\n- **CVSS Score**: 9.8 (Critical)\n- **Impact**: Arbitrary Remote Code Execution\n- **Exploit Status**: Proof of Concept Available\n- **Privileges Required**: None\n\n## Affected Systems\n\n- @profullstack/mcp-server npm package\n- **@profullstack/mcp-server**: <= 1.4.12\n\n## Mitigation\n\n- Replace child_process.exec with child_process.spawn to pass arguments safely as arrays.\n- Implement strict regex-based input validation for domain names enforcing RFC 1035 compliance.\n- Enforce global authentication middleware across all modular endpoints.\n- Execute the Node.js server process under a dedicated, unprivileged user account.\n\n**Remediation Steps:**\n1. Identify all deployments running @profullstack/mcp-server versions <= 1.4.12.\n2. Modify service.js to utilize child_process.spawn instead of execAsync.\n3. Implement a regex validation check (e.g., /^[a-zA-Z0-9.-]+$/) on the domains and keywords input arrays.\n4. Restart the Node.js application process.\n5. Review system logs and process trees for unauthorized executions or shell spawns indicating prior compromise.\n\n## References\n\n- [GitHub Advisory](https://github.com/profullstack/mcp-server/security/advisories/GHSA-v6wj-c83f-v46x)\n- [OSV Database](https://osv.dev/vulnerability/GHSA-v6wj-c83f-v46x)\n- [NPM Package](https://www.npmjs.com/package/@profullstack/mcp-server)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-V6WJ-C83F-V46X) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-05-09T04:40:29.000000Z"}