CVE-2025-54994
Description
@akoskm/create-mcp-server-stdio is an MCP server starter kit that uses the StdioServerTransport. Prior to version 0.0.13, the MCP Server is written in a way that is vulnerable to command injection vulnerability attacks as part of some of its MCP Server tool definition and implementation. The MCP Server exposes the tool which-app-on-port which relies on Node.js child process API exec which is an unsafe and vulnerable API if concatenated with untrusted user input. Version 0.0.13 contains a fix for the issue.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@akoskm/create-mcp-server-stdionpm | < 0.0.13 | 0.0.13 |
Affected products
1- Range: v0.0.1, v0.0.10, v0.0.11, …
Patches
148c26bbe1f8cfix: apply secure coding convention with execFile to prevent command injection in MCP server code (#1)
1 file changed · +3 −3
src/index.ts+3 −3 modified@@ -1,7 +1,7 @@ import { McpServer, ResourceTemplate } from "@modelcontextprotocol/sdk/server/mcp.js"; import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js"; import { z } from "zod"; -import { exec } from "child_process"; +import { execFile } from "child_process"; // Create an MCP server const server = new McpServer({ name: "Demo", @@ -23,13 +23,13 @@ interface ProcessInfo { server.tool("which-app-on-port", { port: z.number() }, async ({ port }) => { const result = await new Promise<ProcessInfo>((resolve, reject) => { - exec(`lsof -t -i tcp:${port}`, (error, pidStdout) => { + execFile('lsof', ['-t', '-i', `tcp:${port}`], (error, pidStdout) => { if (error) { reject(error); return; } const pid = pidStdout.trim(); - exec(`ps -p ${pid} -o comm=`, (error, stdout) => { + execFile('ps', ['-o', 'comm=', '-p', pid], (error, stdout) => { if (error) { reject(error); return;
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-3ch2-jxxc-v4xfghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-54994ghsaADVISORY
- github.com/akoskm/create-mcp-server-stdio/blob/main/src/index.tsnvdWEB
- github.com/akoskm/create-mcp-server-stdio/commit/48c26bbe1f8c62764e4592f33c8300d1cadd2eacnvdWEB
- github.com/akoskm/create-mcp-server-stdio/pull/1ghsaWEB
- github.com/akoskm/create-mcp-server-stdio/security/advisories/GHSA-3ch2-jxxc-v4xfnvdWEB
News mentions
0No linked articles in our index yet.