Description

MCP Watch is a comprehensive security scanner for Model Context Protocol (MCP) servers. In 0.1.2 and earlier, the MCPScanner class contains a critical Command Injection vulnerability in the cloneRepo method. The application passes the user-supplied githubUrl argument directly to a system shell via execSync without sanitization. This allows an attacker to execute arbitrary commands on the host machine by appending shell metacharacters to the URL.

INFO

Published Date :

2025-12-01T22:43:26.639Z

Last Modified :

2025-12-02T14:14:16.297Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-66401 vulnerability.

Vendors Products
Kapilduraphe
  • Mcp Watch
Mcp-watch Project
  • Mcp-watch
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-66401.

URL Resource
https://github.com/kapilduraphe/mcp-watch/commit/e7da78c5b4b960f8b66c254059ad9ebc544a91a6 cve-icon cve-icon
https://github.com/kapilduraphe/mcp-watch/security/advisories/GHSA-27m7-ffhq-jqrm cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact