CVE-2025-54994: @akoskm/create-mcp-server-stdio is vulnerable to MCP Server Command Injection through `exec` API
User initiated and remote command injection on a running MCP Server.
References
- github.com/advisories/GHSA-3ch2-jxxc-v4xf
- github.com/akoskm/create-mcp-server-stdio
- github.com/akoskm/create-mcp-server-stdio/blob/main/src/index.ts
- github.com/akoskm/create-mcp-server-stdio/commit/48c26bbe1f8c62764e4592f33c8300d1cadd2eac
- github.com/akoskm/create-mcp-server-stdio/pull/1
- github.com/akoskm/create-mcp-server-stdio/security/advisories/GHSA-3ch2-jxxc-v4xf
- nvd.nist.gov/vuln/detail/CVE-2025-54994
Code Behaviors & Features
Detect and mitigate CVE-2025-54994 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →