Command Injection Vulnerability in AiondaDotCom mcp-ssh Product
CVE-2025-9654

5.3MEDIUM

Key Information:

Vendor

Aiondadotcom

Status
Mcp-ssh
Vendor
CVE Published:
29 August 2025

What is CVE-2025-9654?

A security flaw has been found in the AiondaDotCom mcp-ssh product, specifically within the file server-simple.mjs. This vulnerability allows an attacker to perform command injection remotely, which can lead to unauthorized access and malicious control over the server. Users are strongly encouraged to upgrade to version 1.0.4 or 1.1.0, which address this flaw with the patch identified in commit cd2566a948b696501abfa6c6b03462cac5fb43d8. Ensuring that the affected systems are updated will fortify defense against potential exploitation.

Affected Version(s)

mcp-ssh 1.0.0

mcp-ssh 1.0.1

mcp-ssh 1.0.2

References

https://vuldb.com/?id.321862
vdb-entry
https://vuldb.com/?ctiid.321862
signaturepermissions-required
https://vuldb.com/?submit.637028
third-party-advisory

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

amgisn (VulDB User)
.
CVE-2025-9654 : Command Injection Vulnerability in AiondaDotCom mcp-ssh Product