Command Injection Vulnerability in MCP Server Starter Kit by akoskm
CVE-2025-54994

9.3CRITICAL

Key Information:

Vendor: Akoskm
Status: Create-mcp-server-stdio
Vendor: CVE Published:; 8 September 2025

What is CVE-2025-54994?

The MCP server starter kit 'create-mcp-server-stdio' has a command injection vulnerability that could potentially allow attackers to execute arbitrary commands on the server. This flaw arises from the tool 'which-app-on-port', which uses the Node.js child process API 'exec' in an unsafe manner, particularly when handling untrusted user inputs. Versions before 0.0.13 are susceptible to this security risk. Users are advised to update to version 0.0.13 or later to mitigate this vulnerability.

Affected Version(s)

create-mcp-server-stdio < 0.0.13

References

https://github.com/akoskm/create-mcp-server-stdio/securit...

x_refsource_CONFIRM

https://github.com/akoskm/create-mcp-server-stdio/commit/...

x_refsource_MISC

https://github.com/akoskm/create-mcp-server-stdio/blob/ma...

x_refsource_MISC

CVSS V4

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 8, 2025
Vulnerability Reserved
Aug 4, 2025

Akoskm

What is CVE-2025-54994?

Affected Version(s)

References

CVSS V4

Timeline