CNNVD-202510-1124 Information
CNNVD ID
CNNVD-202510-1124
Related CVE
- CNNVD Published: 2025-10-08
Description (Chinese)
Desktop Commander MCP是Eduard Ruzga个人开发者的一个MCP服务器。 Desktop Commander MCP 0.2.13及之前版本存在安全漏洞,该漏洞源于Absolute Path Handler组件中src/command-manager.ts文件的extractBaseCommand函数存在os命令注入,可能被远程利用。
Description (English)
Desktop Commander MCP is an MCP server for Eduardo Ruzga’s personal developer. There is a security loophole in the Desktop Commander MCP 0.2.13 and earlier versions, which originates from the src/compand-manager.ts file ’ s EXtracBaseCommand function in the Absolute Path Handler component and may be used remotely.
Hazard Level
High
Vulnerability Type
其他
Affected Vendor
个人开发者
Published
2025-10-08
Last Modified
2026-02-24
References
https://github.com/wonderwhy-er/DesktopCommanderMCP/issues/218 https://github.com/wonderwhy-er/DesktopCommanderMCP/issues/218#issue-3343855120 https://github.com/wonderwhy-er/DesktopCommanderMCP/issues/218#issuecomment-3214135034 https://vuldb.com/?ctiid.327609 https://vuldb.com/?id.327609 https://vuldb.com/?submit.668005
Patch
https://github.com/wonderwhy-er/DesktopCommanderMCP/releases
Share on: