Summary
The MCPScanner class contains a critical Command Injection vulnerability in the cloneRepo method. The application passes the user-supplied githubUrl argument directly to a system shell via execSync without sanitization. This allows an attacker to execute arbitrary commands on the host machine by appending shell metacharacters to the URL.
Details
The vulnerability exists in the src/scanner/MCPScanner.ts file within the cloneRepo method.
The code uses child_process.execSync to execute a git clone command:
Because execSync spawns a shell (defaulting to /bin/sh on Unix or cmd.exe on Windows), any shell metacharacters present in the url argument will be interpreted by the shell. The application does not validate that the url is a valid Git URL, nor does it sanitize input for shell metacharacters.
PoC
Install the package or clone the repository.
Run the scanner using the CLI (or invoke scanRepository programmatically).
Provide a malicious URL containing a command separator (e.g., ;, &, or |) and a system command.
payload : npm run scan:github "https://github.com/kapilduraphe/mcp-watch & calc.exe"
Impact
Severity: Critical
CVSS Score: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Description: This vulnerability allows an attacker to execute arbitrary code on the machine running the scanner.
If run by a developer locally, it compromises their workstation.
If deployed as a hosted scanning service, it grants the attacker full control over the server (RCE), leading to potential data exfiltration, service disruption, or further lateral movement within the infrastructure.
Context Dependent Risk:
Local CLI : If you run this tool locally on your own machine, you are "hacking yourself." The risk is limited unless you copy-paste a malicious URL sent by someone else (e.g., "Hey, check this repo scan: npm run scan "https://git./..; rm -rf /").
Web Service / CI Pipeline (Critical Risk): If this scanner is deployed as a web service (e.g., "Paste your repo URL to scan"), an attacker can take full control of the server immediately.
Untrusted input reaches a shell command, allowing arbitrary commands to run on the host. Typical impact: code execution in the application's environment.
CVE-2025-66401 has a CVSS score of 9.8 (Critical). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. No fixed version is listed yet, so configuration controls and monitoring matter more in the interim.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
In the interim: Avoid passing untrusted input to shell commands. Use parameterized APIs or libraries that do not invoke a shell.
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is CVE-2025-66401? CVE-2025-66401 is a critical-severity OS command injection vulnerability in mcp-watch (npm), affecting versions <= 0.1.2. No fixed version is listed yet. Untrusted input reaches a shell command, allowing arbitrary commands to run on the host.
- How severe is CVE-2025-66401? CVE-2025-66401 has a CVSS score of 9.8 (Critical). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of mcp-watch are affected by CVE-2025-66401? mcp-watch (npm) versions <= 0.1.2 is affected.
- Is there a fix for CVE-2025-66401? No fixed version is listed for CVE-2025-66401 yet. Monitor the advisory for updates and apply mitigations in the interim.
- Is CVE-2025-66401 exploitable, and should I be worried? Whether CVE-2025-66401 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2025-66401 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2025-66401? No fixed version is listed yet. In the interim: Avoid passing untrusted input to shell commands. Use parameterized APIs or libraries that do not invoke a shell.