A vulnerability was found in sigmade Git-MCP-Server up to 785aa159f262a02d5791a5d8a8e13c507ac42880. Affected by this vulnerability is the function child_process.exec of the file src/gitUtils.ts of the component show_merge_diff/quick_merge_summary/show_file_diff. The manipulation results in os command injection.
The attack must be initiated from a local position. The exploit has been made public and could be used. This product operates on a rolling release basis, ensuring continuous delivery.
Consequently, there are no version details for either affected or updated releases. It is advisable to implement a patch to correct this issue. The vendor was contacted early about this disclosure but did not respond in any way.
Attack Parameters
Attack Vector
Local
Requires local access
Attack Complexity
Low
Easy to exploit
Attack Requirements
None
No additional conditions
Privileges Required
Low
Basic privileges needed
User Interaction
None
No user interaction needed
Impact Assessment
Confidentiality
Low
Partial data leak
Integrity
Low
Partial data modification
Availability
Low
Partial disruption
CVSS Vector v4.0
Weakness Type (CWE)
References 7
https://github.com/sigmade/Git-MCP-Server/
cna@vuldb.com
https://github.com/sigmade/Git-MCP-Server/issues/1
cna@vuldb.com
https://github.com/sigmade/Git-MCP-Server/pull/2
cna@vuldb.com
https://github.com/user-attachments/files/24855745/Git-MCP-Server.bug.pdf
cna@vuldb.com
https://vuldb.com/?ctiid.352045
cna@vuldb.com
https://vuldb.com/?id.352045
cna@vuldb.com
https://vuldb.com/?submit.773796
cna@vuldb.com