Summary
The MCP server mcp-server-auto-commit is vulnerable to command injection due to unsafe use of child_process.exec with user-controlled input in the git-changes-commit-message tool.
Affected Versions
<= 0.0.1
Vulnerable Code
https://github.com/hypermodel-labs/mcp-server-auto-commit/blob/main/index.ts#L39-L46
Details
The MCP tool git-changes-commit-message constructs a command string using user-supplied parameter autoCommitPath and executes it via child_process.exec as await execAsync(cd ${cwd}). Because exec invokes commands through a system shell, specially crafted input containing shell metacharacters (such as ;, &, or |) may be interpreted as additional commands rather than treated as data.
For example, an attacker could supply a malicious value in autoCommitPath to inject arbitrary shell commands, which would then be executed with the privileges of the MCP server process.
The vulnerability results from shell-based command execution combined with direct interpolation of untrusted input. In MCP environments, LLM-generated tool parameters influenced by external content may trigger execution of injected commands without direct local user interaction.
Impact
Successful exploitation allows attackers to execute arbitrary commands on the server hosting the MCP service. This may allow attackers to execute commands, access sensitive data, or modify the host environment depending on the privileges of the MCP server.
Recommendation
- Don't use exec. Use execFile instead, which pins the command and provides the arguments as array elements.
- Apply strict input validation to all tool parameters exposed to MCP clients, especially the autoCommitPath parameter.
- Use parameter separation with proper escaping to prevent shell command injection.
PoC
See the attached files:
mcp-git-status_bug.pdf
Summary
The MCP server mcp-server-auto-commit is vulnerable to command injection due to unsafe use of child_process.exec with user-controlled input in the git-changes-commit-message tool.
Affected Versions
<= 0.0.1
Vulnerable Code
https://github.com/hypermodel-labs/mcp-server-auto-commit/blob/main/index.ts#L39-L46
Details
The MCP tool git-changes-commit-message constructs a command string using user-supplied parameter autoCommitPath and executes it via child_process.exec as await execAsync(
cd ${cwd}). Because exec invokes commands through a system shell, specially crafted input containing shell metacharacters (such as;,&, or|) may be interpreted as additional commands rather than treated as data.For example, an attacker could supply a malicious value in autoCommitPath to inject arbitrary shell commands, which would then be executed with the privileges of the MCP server process.
The vulnerability results from shell-based command execution combined with direct interpolation of untrusted input. In MCP environments, LLM-generated tool parameters influenced by external content may trigger execution of injected commands without direct local user interaction.
Impact
Successful exploitation allows attackers to execute arbitrary commands on the server hosting the MCP service. This may allow attackers to execute commands, access sensitive data, or modify the host environment depending on the privileges of the MCP server.
Recommendation
PoC
See the attached files:
mcp-git-status_bug.pdf