GHSA-v6wj-c83f-v46x: @profullstack/mcp-server vulnerable to OS Command Injection in domain_lookup Module
| Field | Value |
|---|---|
| Project | profullstack/mcp-server |
| Repository | https://github.com/profullstack/mcp-server |
| Affected Commit | 2e8ea913573610667ad54e31dba2e8198ebf7cf9 |
| Affected Module | mcp_modules/domain_lookup |
| Affected Endpoints | POST /domain-lookup/check, POST /domain-lookup/bulk |
| Vulnerability Type | CWE-78: OS Command Injection |
| CVSS 3.1 Score | 9.8 (Critical) — AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Authentication Required | None |
| Default Network Exposure | Bind address 0.0.0.0, no global authentication middleware |
| Validated | 2026-04-21 (initial), 2026-04-28 (re-confirmed) |
if (options.prefixes?.length) {
command += --prefixes ${options.prefixes.join(',')};
}
}
{“error”:“tldx command failed: tldx command failed: /bin/sh: tldx: not found\n”}
{“error”:“Bulk domain check failed: Bulk domain check failed: /bin/sh: tldx: not found\n”}
References
Code Behaviors & Features
Detect and mitigate GHSA-v6wj-c83f-v46x with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →