gin-vue-admin vulnerable to RCE
Description
gin-vue-admin is an AI-assisted basic development platform. In version 2.9.1, an authenticated attacker with access to the code-generation feature and MCP management interface can exploit this vulnerability by injecting attacker-controlled Go source code through POST /autoCode/addFunc, and then invoking POST /autoCode/mcpStart to trigger a rebuild and restart of the standalone MCP service. This allows arbitrary operating system commands to be executed on the server with the privileges of the application process. Successful exploitation may lead to remote code execution (RCE), modification of backend source code or runtime logic, deployment of persistent backdoors, access to or manipulation of application data and configuration, and further impact on local resources running under the same service account or privilege context. The risk is highest in deployments that retain the source tree, allow writes to source files, and support local build or startup of standalone MCP components. In environments using binary-only releases, read-only filesystems, or with local build capabilities removed, the exploitability of the full attack chain is significantly reduced. However, once the online code-generation capability and MCP-hosted startup workflow are enabled, the overall security impact may reach high to critical severity. As of time of publication, it is unknown if a patched version is available. As a workaround, enforce strict allowlist validation on path- and identifier-related fields such as humpPackageName, packageName, FuncName, and Router, and only permit safe identifier formats.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1- Range: =2.9.1
Patches
Vulnerability mechanics
Root cause
"Missing input validation on the `humpPackageName` and `serverFunc` fields allows directory traversal and arbitrary Go source code injection into the MCP service source file."
Attack vector
An authenticated attacker first calls `POST /autoCode/addFunc` with a crafted JSON payload where the `serverFunc` field contains malicious Go code (e.g., an `init()` function) and the `humpPackageName` field uses path traversal (`../../../cmd/mcp/config`) to direct the write into the MCP service's source code. After the malicious code is written to `server/cmd/mcp/config.go`, the attacker calls `POST /autoCode/mcpStart`, which triggers a rebuild and restart of the standalone MCP process. When the MCP service starts, the injected `init()` function executes, running arbitrary OS commands (e.g., launching Calculator via `cmd.exe /c calc`). [ref_id=1]
Affected code
The vulnerability lies in the `POST /autoCode/addFunc` endpoint, which writes attacker-controlled Go source code into files under `server/cmd/mcp/config.go` (and also `web/src/plugin/announcement/api/info.js`), and the `POST /autoCode/mcpStart` endpoint, which rebuilds and restarts the standalone MCP service. The `humpPackageName` field is used to construct a file path with directory traversal (`../../../cmd/mcp/config`), enabling the injection into a file that gets compiled and executed.
What the fix does
No patch is available as of the advisory publication. The recommended workaround is to enforce strict allowlist validation on path– and identifier–related fields such as `humpPackageName`, `packageName`, `FuncName`, and `Router`, permitting only safe identifier formats. This would prevent directory traversal in the file path and block injection of arbitrary Go source code. Without such validation, the endpoints lack proper sanitization of user-controlled file paths and code content. [ref_id=1]
Preconditions
- authAuthenticated session with access to code-generation and MCP management features
- configServer retains source tree, allows writes to source files, and supports local build/startup of MCP components
- networkAttacker can send crafted JSON payloads to POST /autoCode/addFunc and POST /autoCode/mcpStart
Reproduction
Step 1: Call POST /autoCode/addFunc with a JSON body containing a malicious `serverFunc` (an `init()` function) and a `humpPackageName` of `../../../cmd/mcp/config` to write the injected code into `server/cmd/mcp/config.go`. Step 2: Call POST /autoCode/mcpStart to trigger a rebuild and restart of the MCP service, which executes the injected `init()` function. [ref_id=1]
Generated on Jun 20, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- github.com/flipped-aurora/gin-vue-admin/security/advisories/GHSA-22cv-9jv2-6m62mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.