Overview
The node-code-sandbox-mcp package (versions <= 1.2.0) has command injection vulnerabilities that bypass Docker sandbox protections via unsanitized execSync calls. Exploitable through indirect prompt injection when generating code. CVSS 7.5.
Who Is Affected
Reported via GitLab security advisory. Affects developers using node-code-sandbox-mcp as a sandboxed code execution environment for MCP agents.
Where It Exists
The vulnerability is in the node-code-sandbox-mcp package's command execution layer. Despite using Docker for sandboxing, the host-side orchestration code passes unsanitized input to execSync, allowing escape from the sandbox.
When It Was Found
Published July 8, 2025. Affects versions <= 1.2.0. Fixed in v1.3.0.
How It Works
An attacker crafts input (directly or via indirect prompt injection through code comments or documentation) that contains shell metacharacters. When the MCP server processes this input to set up or execute code in the Docker sandbox, the unsanitized execSync call executes the injected commands on the host OS outside the Docker container, completely bypassing the sandbox.
Impact
Full escape from the Docker sandbox to the host system. Attackers gain code execution on the host with the MCP server's privileges, defeating the entire purpose of sandboxed code execution. Can lead to host compromise, data theft, and lateral movement.
Mitigation
Update to node-code-sandbox-mcp v1.3.0 or later. Replace execSync with execFileSync using argument arrays. Apply additional host-level restrictions (seccomp, AppArmor) to the MCP server process. Never pass LLM-generated content directly to shell commands.