VYPR
← All advisories
Critical severityNVD Advisory· Published Dec 1, 2025· Updated Dec 2, 2025

MCP Watch has a Critical Command Injection in cloneRepo allows Remote Code Execution (RCE) via malicious URL

CVE-2025-66401

Description

MCP Watch is a comprehensive security scanner for Model Context Protocol (MCP) servers. In 0.1.2 and earlier, the MCPScanner class contains a critical Command Injection vulnerability in the cloneRepo method. The application passes the user-supplied githubUrl argument directly to a system shell via execSync without sanitization. This allows an attacker to execute arbitrary commands on the host machine by appending shell metacharacters to the URL.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

MCP Watch <=0.1.2 has command injection in cloneRepo, enabling RCE via malicious URL.

MCP Watch is a security scanner for MCP servers. In version 0.1.2 and earlier, the cloneRepo method in MCPScanner passes a user-supplied githubUrl directly to execSync without sanitization, leading to command injection [1][2][3]. The vulnerable code executes git clone --depth 1 ${url} ${targetDir} in a shell, allowing shell metacharacters to be interpreted [3].

An attacker can exploit this by providing a URL containing command separators (e.g., ;, &, |) followed by arbitrary commands. No authentication is required if the scanner is invoked via CLI or as a service. The attack surface includes local use (if a user scans a malicious URL) or remote exploitation if hosted as a web service [3].

Successful exploitation allows arbitrary command execution with the privileges of the scanning process. This could lead to full host compromise, data exfiltration, or lateral movement in a CI/CD pipeline [2][3].

The vulnerability is fixed in commit e7da78c5b4b960f8b66c254059ad9ebc544a91a6 by replacing execSync with spawnSync, which avoids shell interpretation [4]. Users should update to the latest version or apply the patch. If patching is not possible, avoid scanning untrusted URLs [3].

References
  1. GitHub - kapilduraphe/mcp-watch: A comprehensive security scanner for Model Context Protocol (MCP) servers that detects vulnerabilities and security issues in your MCP server implementations.
  2. NVD - CVE-2025-66401
  3. Critical Command Injection in cloneRepo allows Remote Code Execution (RCE) via malicious URL
  4. chore(vuln): fixes the vuln plus updates deps · kapilduraphe/mcp-watch@e7da78c

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
mcp-watchnpm
<= 0.1.2

Affected products

2

Patches

1
e7da78c5b4b9

chore(vuln): fixes the vuln plus updates deps

https://github.com/kapilduraphe/mcp-watchKapil DurapheNov 30, 2025via ghsa
commit
8 files changed · +23 19
  • Dockerfile+2 2 modified
    @@ -1,5 +1,5 @@
 # Multi-stage build for production
-FROM node:24-alpine AS builder
+FROM node:25-alpine AS builder
 
 # Set working directory
 WORKDIR /app
@@ -19,7 +19,7 @@ RUN npm ci
 RUN npm run build
 
 # Production stage
-FROM node:24-alpine AS production
+FROM node:25-alpine AS production
 
 # Install git (required for repository cloning)
 RUN apk add --no-cache git
  • .github/dependabot.yml+2 5 modified
    @@ -27,7 +27,6 @@ updates:
       include: "scope"
     labels:
       - "dependencies"
-      - "automated"
     # Rebase on conflicts
     rebase-strategy: "auto"
 
@@ -52,8 +51,7 @@ updates:
       prefix: "ci"
       include: "scope"
     labels:
-      - "github-actions"
-      - "automated"
+      - "dependencies"
     rebase-strategy: "auto"
 
   # Enable version updates for Docker
@@ -73,6 +71,5 @@ updates:
       prefix: "docker"
       include: "scope"
     labels:
-      - "docker"
-      - "automated"
+      - "dependencies"
     rebase-strategy: "auto"
  • .github/workflows/ci.yml+3 3 modified
    @@ -11,10 +11,10 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v5
+    - uses: actions/checkout@v6
 
     - name: Setup Node.js
-      uses: actions/setup-node@v4
+      uses: actions/setup-node@v6
       with:
         node-version: '18'
         cache: 'npm'
@@ -36,7 +36,7 @@ jobs:
     needs: test
 
     steps:
-    - uses: actions/checkout@v5
+    - uses: actions/checkout@v6
 
     - name: Build Docker image
       run: docker build -t mcp-watch .
  • .github/workflows/dependency-update.yml+2 2 modified
    @@ -10,10 +10,10 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v5
+    - uses: actions/checkout@v6
 
     - name: Setup Node.js
-      uses: actions/setup-node@v4
+      uses: actions/setup-node@v6
       with:
         node-version: '18'
         cache: 'npm'
  • .github/workflows/docker-test.yml+1 1 modified
    @@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v5
+    - uses: actions/checkout@v6
 
     - name: Build image
       run: |
  • .github/workflows/release.yml+2 2 modified
    @@ -9,10 +9,10 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v5
+    - uses: actions/checkout@v6
 
     - name: Setup Node.js
-      uses: actions/setup-node@v4
+      uses: actions/setup-node@v6
       with:
         node-version: '18'
         cache: 'npm'
  • .github/workflows/security-scan.yml+2 2 modified
    @@ -10,10 +10,10 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v5
+    - uses: actions/checkout@v6
 
     - name: Setup Node.js
-      uses: actions/setup-node@v4
+      uses: actions/setup-node@v6
       with:
         node-version: '18'
         cache: 'npm'
  • src/scanner/McpScanner.ts+9 2 modified
    @@ -1,6 +1,6 @@
 import * as fs from "fs";
 import * as path from "path";
-import { execSync } from "child_process";
+import { spawnSync } from "child_process";
 import * as tmp from "tmp";
 import { Vulnerability } from "../types/Vulnerability";
 import { CredentialScanner } from "./scanners/CredentialScanner";
@@ -178,7 +178,14 @@ export class MCPScanner {
   private async cloneRepo(url: string, targetDir: string) {
     try {
       console.log("📥 Cloning repository...");
-      execSync(`git clone --depth 1 ${url} ${targetDir}`, { stdio: "pipe" });
+      const result = spawnSync("git", ["clone", "--depth", "1", url, targetDir], {
+        stdio: "pipe",
+        encoding: "utf-8",
+      });
+
+      if (result.error || result.status !== 0) {
+        throw new Error(`Git clone failed: ${result.stderr || result.error?.message}`);
+      }
     } catch (error) {
       throw new Error(`Failed to clone repository: ${error}`);
     }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.