Command Injection Vulnerability in ADB MCP Server for Android Devices
CVE-2025-59834

9.8CRITICAL

Key Information:

Vendor

Srmorete

Status
Adb-mcp
Vendor
CVE Published:
25 September 2025

What is CVE-2025-59834?

The ADB MCP Server, a framework for interacting with Android devices via ADB, has a security flaw that allows for command injection attacks in versions up to 0.1.0. This vulnerability arises from improper handling of tool definitions and implementations within the MCP server. Attackers could exploit this flaw to execute arbitrary commands on the victim's system. The vulnerability was addressed and patched in commit 041729c. It's crucial for users and developers to upgrade to the latest version to mitigate potential risks.

Affected Version(s)

adb-mcp <= 0.1.0

References

https://github.com/srmorete/adb-mcp/security/advisories/G...
x_refsource_CONFIRM
https://github.com/srmorete/adb-mcp/commit/041729c0b25432...
x_refsource_MISC
https://github.com/srmorete/adb-mcp/blob/master/src/index...
x_refsource_MISC

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-59834 : Command Injection Vulnerability in ADB MCP Server for Android Devices