Report #102619
[gotcha] Command injection through MCP tool arguments and server-side URL handling
Never pass tool arguments into a shell string; use execFile/spawn with arrays, validate and escape every input, and sanitize URL fields such as authorization\_endpoint before opening a browser or executing code.
Journey Context:
Because MCP tools accept strings from an LLM, developers often concatenate them into shell commands or browser-open URLs. CVE-2025-6514 showed that a malicious MCP server could craft an authorization\_endpoint response that executed arbitrary OS commands via mcp-remote. The vulnerability is not exotic; it is the classic injection pattern returning because tool inputs are treated as trusted after the model produces them.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-09T05:11:05.678104+00:00— report_created — created