@profullstack/mcp-server OS Command Injection Vulnerability

The @profullstack/mcp-server package is vulnerable to OS Command Injection within the domain_lookup module. Specifically, the application fails to sanitize user-provided input passed via the domains and keywords parameters to the /domain-lookup/check and /domain-lookup/bulk endpoints. This unsanitized input is then concatenated into a shell command string and executed using execAsync(). The server binds to 0.0.0.0 without global authentication middleware. This vulnerability, identified as CWE-78, allows unauthenticated remote attackers to inject arbitrary OS commands, potentially leading to complete system compromise. Version 1.4.12 and earlier are affected.

Attack Chain

1. An attacker sends a POST request to /domain-lookup/check or /domain-lookup/bulk with a crafted JSON payload.
2. The JSON payload contains a domains or keywords array, with malicious commands injected using shell metacharacters (e.g., ;, |, $()).
3. The buildTldxCommand() function in mcp_modules/domain_lookup/src/service.js concatenates the attacker-controlled input directly into a command string without sanitization.
4. The resulting command string is passed to the execAsync() function.
5. execAsync() executes the command using /bin/sh, interpreting the injected shell metacharacters.
6. Arbitrary OS commands are executed with the privileges of the server process.
7. The attacker can then perform actions such as reading sensitive files, creating new files, or establishing outbound network connections.
8. Successful exploitation results in unauthenticated remote code execution, potentially leading to full system compromise.

Impact

Successful exploitation of this vulnerability allows for unauthenticated remote code execution with the privileges of the server process. This could lead to full read/write access to any file the server process can access, potentially sensitive information disclosure, credential theft, persistence, and lateral movement within the network. The CVSS 3.1 score is 9.8 (Critical). This vulnerability is easily reproducible with a single unauthenticated HTTP POST request to either of the documented endpoints.

Recommendation

• Upgrade to a patched version of @profullstack/mcp-server that addresses the command injection vulnerability.
• Implement input validation on the domains and keywords parameters to reject any input containing shell metacharacters.
• Use child_process.execFile or spawn('tldx', [keyword1, keyword2, ...]) instead of execAsync(command) to avoid shell interpretation.
• Deploy the Sigma rules provided in this brief to detect exploitation attempts targeting the affected endpoints and parameters.
• Implement global authentication middleware to prevent anonymous access to HTTP-exposed modules.
• Modify the server to bind to 127.0.0.1 by default to reduce the attack surface and require explicit opt-in for non-loopback bindings.