Command Injection Vulnerability in MCP Package Documentation Server by Sam McJ
CVE-2025-54073

7.5HIGH

Key Information:

Vendor: Sammcj
Status: Mcp-package-docs
Vendor: CVE Published:; 18 July 2025

What is CVE-2025-54073?

A command injection vulnerability exists in the mcp-package-docs MCP Server. The flaw arises from the unsanitized handling of input parameters used within the child_process.exec method, allowing an attacker to inject arbitrary system commands. If exploited, this could potentially lead to remote code execution with the server's privileges, posing significant security risks. Users are strongly encouraged to upgrade to version 0.1.28 or later, where this issue is resolved.

Affected Version(s)

mcp-package-docs < 0.1.27

References

https://github.com/sammcj/mcp-package-docs/security/advis...

x_refsource_CONFIRM

https://github.com/sammcj/mcp-package-docs/commit/cb4ad49...

x_refsource_MISC

https://equixly.com/blog/2025/03/29/mcp-server-new-securi...

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 18, 2025
Vulnerability Reserved
Jul 16, 2025

Sammcj

What is CVE-2025-54073?

Affected Version(s)

References

CVSS V3.1

Timeline