GHSA-X975-RGX4-5FH4 is a high-severity cross-site scripting (XSS) vulnerability in appium-mcp (npm), affecting versions <= 1.85.9. It is fixed in 1.85.10.
Unescaped Locator Data XSS in MCP-UI Resource (createLocatorGeneratorUI) Summary appium-mcp's createLocatorGeneratorUI function interpolates attacker-controlled element attributes, text, content-desc, resource-id, and locator selector values, directly into an HTML template literal without any HTML or JavaScript context escaping. An attacker who controls the UI of the app under test can inject arbitrary HTML and JavaScript into the MCP UI resource returned by the generatelocators tool. When a victim's MCP client renders this resource, the injected script executes and can invoke arbitrary MCP tools via window.parent.postMessage, leading to unauthorized MCP tool execution such as taking screenshots, reading page source, or any other registered capability. Details The vulnerability is a stored/reflected cross-site scripting (XSS) issue in the MCP UI generation pipeline. Vulnerable sink, src/ui/mcp-ui-utils.ts:730–740: None of element.text, element.contentDesc, element.resourceId, selector, or strategy are HTML-escaped before insertion. The onclick attribute additionally embeds selector and strategy into an inline JavaScript string using only a backtick-escape that is insufficient to prevent breakout via HTML event attribute syntax or single-quote injection. By contrast, createPageSourceInspectorUI at src/ui/mcp-ui-utils.ts:911–916 does apply escaping to the page source, confirming that the protection gap in createLocatorGeneratorUI is an oversight, not a design choice. Complete data flow (source → sink): src/tools/test-generation/locators.ts:57, getPageSource(driver) reads the page source XML from an active Appium session; the connected app is fully attacker-controlled. src/tools/test-generation/locators.ts:72, the raw page source is passed to generateAllElementLocators. src/locators/source-parsing.ts:108, XML attribute values undergo only newline replacement (attr.value.replace(/(\n)/gm, '\n')); HTML entities such as < are decoded into raw < characters by the XML parser with no re-encoding. src/locators/generate-all-locators.ts:73–75, element.attributes.text, ['content-desc'], and ['resource-id'] are copied verbatim into the locator result object. src/tools/test-generation/locators.ts:90, the locator objects are passed to createLocatorGeneratorUI. src/ui/mcp-ui-utils.ts:730–740, values are interpolated directly into the HTML response (sink). The window.parent.postMessage({type:'tool', payload:{toolName:...}}, '') mechanism used throughout src/ui/mcp-ui-utils.ts:645–695 means any JavaScript executing in the rendered UI resource can invoke registered MCP tools unconditionally. Remediation requires an HTML-escaping helper (replacing &, <, >, ", ') applied to all element properties in the HTML context, and JSON.stringify for values embedded inside JavaScript string literals in onclick handlers. PoC Prerequisites: appium-mcp v1.85.8 or v1.85.9 installed from npm Node.js 20+ with the package built (npm install && npm run build) An MCP client that renders HTML resources returned by generatelocators (e.g., VS Code with the Appium MCP extension, or any WebView-based MCP host) Static confirmation (no Appium session required): Expected output: Dynamic confirmation (Docker, network-isolated): The container output confirms: End-to-end exploitation against a real MCP client: Attacker publishes or sideloads an Android/iOS app whose UI element text, content-desc, or resource-id attributes contain an XSS payload (e.g., <img src=x onerror="window.parent.postMessage({type:'tool',payload:{toolName:'executescript',params:{script:'fetch(...)'}},'')">). Victim developer connects their Appium MCP server to the attacker's app and calls the generatelocators MCP tool. The MCP client renders the returned HTML resource in a WebView / iframe. The injected onerror handler fires and posts a crafted tool message to the parent frame, causing the MCP host to invoke arbitrary registered tools (e.g., appiumscreenshot, executescript, getpagesource) without user confirmation. Impact This is a Cross-Site Scripting (XSS) vulnerability. Any developer using appium-mcp with an MCP client that renders HTML resources (the intended workflow for the UI feature) is impacted when they inspect elements from an attacker-controlled application. Impact scenarios: Arbitrary MCP tool invocation: Injected JavaScript calls window.parent.postMessage with any tool name and parameters, executing MCP tools silently (e.g., taking screenshots, reading page source, executing scripts on the device). Credential and data exfiltration: Via executescript or screenshot tools, an attacker can extract sensitive data visible on the device screen or in the page source. Lateral movement / persistence: If the MCP host exposes file-system or shell tools, the attacker can escalate to arbitrary code execution on the developer's machine. Supply-chain / CI abuse: Automated test pipelines that call generatelocators against third-party app builds are equally vulnerable; no human interaction beyond running the pipeline is required. The attack requires no authentication (PR:N), the tool is enabled by default (default-on: Y), and the scope is changed (S:C) because JavaScript executes in the MCP host frame rather than the sandboxed resource. Reproduction artifacts Dockerfile poc.py
Untrusted input is rendered as active markup in a victim's browser, which can run script in their session. Typical impact: session or credential theft, and actions taken as the user.
GHSA-X975-RGX4-5FH4 has a CVSS score of 8.2 (High). The vector is network-reachable, no privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment.
A fixed version is available (1.85.10). Upgrading removes the vulnerable code path.
npm
appium-mcp (<= 1.85.9)appium-mcp → 1.85.10 (npm)Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter instead of chasing every advisory.
Kodem's runtime-powered SCA identifies whether GHSA-X975-RGX4-5FH4 is reachable in your applications. Explore AI application security for your team.
See if GHSA-X975-RGX4-5FH4 is reachable in your applications. Get a demo
Already deployed Kodem? See GHSA-X975-RGX4-5FH4 in your environment →Upgrade appium-mcp to 1.85.10 or later to resolve this vulnerability.
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
GHSA-X975-RGX4-5FH4 is a high-severity cross-site scripting (XSS) vulnerability in appium-mcp (npm), affecting versions <= 1.85.9. It is fixed in 1.85.10. Untrusted input is rendered as active markup in a victim's browser, which can run script in their session.
GHSA-X975-RGX4-5FH4 has a CVSS score of 8.2 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
appium-mcp (npm) versions <= 1.85.9 is affected.
Yes. GHSA-X975-RGX4-5FH4 is fixed in 1.85.10. Upgrade to this version or later.
Whether GHSA-X975-RGX4-5FH4 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
Upgrade appium-mcp to 1.85.10 or later.