Report #100726
[gotcha] MCP tools that pass parameters to shells can be command-injected by malicious servers
Use parameterized APIs instead of shell execution, validate and sanitize all tool inputs, and never pass server-supplied URLs directly to a shell.
Journey Context:
CVE-2025-6514 in mcp-remote \(CVSS 9.6\) showed that a malicious MCP server could embed a command in the authorization\_endpoint URL, which mcp-remote passed to the system shell. This is the classic command injection pattern, but the untrusted input comes from a server the user intentionally connected to. The fix is structural: avoid shell execution, use execFile-style APIs, and treat every server-provided value as untrusted input, because intentional connectivity is not a trust boundary.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-02T04:59:32.844679+00:00— report_created — created