CVE-2025-52573

CVE-2025-52573 is a medium-severity OS command injection vulnerability in ios-simulator-mcp (npm), affecting versions < 1.3.3. It is fixed in 1.3.3.

Summary

Command Injection in MCP Server

The MCP Server at https://github.com/joshuayoes/ios-simulator-mcp/ is written in a way that is vulnerable to command injection vulnerability attacks as part of some of its MCP Server tool definition and implementation.

Vulnerable tool

The MCP Server exposes the tool ui_tap which relies on Node.js child process API exec which is an unsafe and vulnerable API if concatenated with untrusted user input.

LLM exposed user input for duration, udid, and x and y args can be replaced with shell meta-characters like ; or && or others to change the behavior from running the expected command idb to another command.

Vulnerable line of code: https://github.com/joshuayoes/ios-simulator-mcp/blob/main/src/index.ts#L166-L207

  server.tool(
    "ui_tap",
    "Tap on the screen in the iOS Simulator",
    {
      duration: z.string().optional().describe("Press duration"),
      udid: z
        .string()
        .optional()
        .describe("Udid of target, can also be set with the IDB_UDID env var"),
      x: z.number().describe("The x-coordinate"),
      y: z.number().describe("The x-coordinate"),
    },
    async ({ duration, udid, x, y }) => {
      try {
        const actualUdid = await getBootedDeviceId(udid);
        const durationArg = duration ? `--duration ${duration}` : "";
        const { stderr } = await execAsync(
          `idb ui tap --udid ${actualUdid} ${durationArg} ${x} ${y}  --json`
        );

Exploitation

When LLMs are tricked through prompt injection (and other techniques and attack vectors) to call the tool with input that uses special shell characters such as ; rm -rf /tmp;# and other payload variations, the full command-line text will be interepted by the shell and result in other commands except of ps executing on the host running the MCP Server.

Reference example from prior security research on this topic:

References and Prior work

  1. Exploiting MCP Servers Vulnerable to Command Injection
  2. Liran's Node.js Secure Coding: Defending Against Command Injection Vulnerabilities

Disclosed by Liran Tal

Impact

User initiated and remote command injection on a running MCP Server.

Untrusted input reaches a shell command, allowing arbitrary commands to run on the host. Typical impact: code execution in the application's environment.

CVE-2025-52573 has a CVSS score of 6.0 (Medium). The vector is requires local access, low privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (1.3.3); upgrading removes the vulnerable code path.

Affected versions

ios-simulator-mcp (< 1.3.3)

Security releases

ios-simulator-mcp → 1.3.3 (npm)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Upgrade ios-simulator-mcp to 1.3.3 or later to resolve this vulnerability.

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2025-52573? CVE-2025-52573 is a medium-severity OS command injection vulnerability in ios-simulator-mcp (npm), affecting versions < 1.3.3. It is fixed in 1.3.3. Untrusted input reaches a shell command, allowing arbitrary commands to run on the host.
  2. How severe is CVE-2025-52573? CVE-2025-52573 has a CVSS score of 6.0 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of ios-simulator-mcp are affected by CVE-2025-52573? ios-simulator-mcp (npm) versions < 1.3.3 is affected.
  4. Is there a fix for CVE-2025-52573? Yes. CVE-2025-52573 is fixed in 1.3.3. Upgrade to this version or later.
  5. Is CVE-2025-52573 exploitable, and should I be worried? Whether CVE-2025-52573 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2025-52573 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2025-52573? Upgrade ios-simulator-mcp to 1.3.3 or later.

Other vulnerabilities in ios-simulator-mcp

Stop the waste.
Protect your environment with Kodem.