Attack Chain

1. The attacker identifies a publicly accessible instance of 54yyyu code-mcp running a vulnerable version (<= 4cfc4643541a110c906d93635b391bf7e357f4a8).
2. The attacker crafts a malicious HTTP request targeting the git_operation function in src/code_mcp/server.py.
3. The malicious request includes a crafted operation argument containing shell commands.
4. The git_operation function, without proper sanitization, passes the attacker-controlled operation argument to a system call.
5. The system executes the injected commands, potentially allowing the attacker to execute arbitrary code on the server.
6. The attacker gains initial access and may attempt to escalate privileges.
7. The attacker moves laterally within the network, compromising other systems and data.
8. The attacker achieves their final objective, which could include data exfiltration, ransomware deployment, or system disruption.

Impact

Successful exploitation of this vulnerability allows a remote attacker to execute arbitrary commands on the affected system. Due to the lack of specific versioning information and response from the vendor, the exact number of vulnerable installations is unknown. This vulnerability could lead to complete system compromise, data breaches, and potential disruption of services, impacting any organization using the affected 54yyyu code-mcp software.

Recommendation

• Inspect web server logs for suspicious POST requests to the git_operation endpoint in src/code_mcp/server.py containing shell command injection attempts, and deploy the Detect Suspicious Git Operation Requests Sigma rule.
• Monitor process creation events for unusual processes spawned by the code-mcp application or related processes, using the Detect Suspicious Processes Spawned by Code-MCP Sigma rule.
• Since no patch is available, consider implementing input validation and sanitization on the operation argument within the git_operation function or consider isolating the affected service until a patch is released.