Overview
The create-mcp-server-stdio package uses unsafe exec() that directly concatenates user input into shell commands, enabling arbitrary command execution on the host system.
Who Is Affected
Reported via GitHub Security Advisory. Affects developers and users running MCP servers built with the create-mcp-server-stdio package.
Where It Exists
The vulnerability is in the create-mcp-server-stdio npm package's command execution logic. User-supplied input is passed directly to exec() without sanitization or parameterization.
When It Was Found
Advisory published under GHSA-3ch2-jxxc-v4xf in June 2025. The vulnerability exists in all versions prior to the fix.
How It Works
An attacker provides specially crafted input containing shell metacharacters (;, |, &&, $(), backticks) through MCP tool parameters. Because the server concatenates this input directly into exec() calls, the injected commands execute with the server process's full privileges on the host system.
Impact
Full remote code execution on the server host. Attackers can read/write files, install malware, establish reverse shells, pivot to other systems, and exfiltrate any data accessible to the server process. This is a trivially exploitable RCE with maximum impact.
Mitigation
Update to a patched version of create-mcp-server-stdio. Replace exec() with execFile() or spawn() with argument arrays to prevent shell injection. Never concatenate user input into shell commands. Implement input validation and sandboxing for all MCP server processes.