CVE-2025-11285: MCPHub's ServerController is vulnerable to Command Injection

October 5, 2025 (updated November 10, 2025)

A vulnerability was found in samanhappy MCPHub up to 0.9.10. Affected by this issue is some unknown functionality of the file src/controllers/serverController.ts. The manipulation of the argument command/args results in os command injection. The attack can be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

References

github.com/August829/YU1/issues/6
github.com/advisories/GHSA-5q2p-3jg8-2m98
github.com/samanhappy/mcphub
nvd.nist.gov/vuln/detail/CVE-2025-11285
vuldb.com/?ctiid.327043
vuldb.com/?id.327043
vuldb.com/?submit.659734

Code Behaviors & Features

Detect and mitigate CVE-2025-11285 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →