CVE-2025-53372 Overview
CVE-2025-53372 is a command injection vulnerability ([CWE-77]) in node-code-sandbox-mcp, a Node.js-based Model Context Protocol (MCP) server that spins up disposable Docker containers to execute arbitrary JavaScript. Versions prior to 1.3.0 pass unsanitized input parameters into a child_process.execSync call, allowing attackers to inject arbitrary system commands. Successful exploitation results in remote code execution under the server process's privileges on the host, bypassing the Docker sandbox that is supposed to isolate executed code. The maintainer fixed the issue in version 1.3.0.
Critical Impact
Attackers who can influence MCP tool parameters can break out of the Docker isolation boundary and execute commands directly on the host running the MCP server.
Affected Products
- node-code-sandbox-mcp versions prior to 1.3.0
- MCP server deployments that expose the sandbox to untrusted prompts or clients
- AI agent integrations that route tool calls into the sandbox without parameter validation
Discovery Timeline
- 2025-07-08 - CVE-2025-53372 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-53372
Vulnerability Analysis
The node-code-sandbox-mcp server exposes MCP tools that orchestrate Docker containers to run untrusted JavaScript. To launch and manage these containers, the server invokes the Docker CLI through child_process.execSync. The vulnerable code paths concatenate user-controlled parameters, such as image names or container identifiers, directly into the shell command string passed to execSync.
Because execSync runs the command through a shell, any shell metacharacter (;, &&, |, backticks, $()) embedded in the input is interpreted by the shell rather than treated as data. An attacker who controls a parameter routed to the vulnerable function can append arbitrary commands that execute outside the Docker container, on the host running the MCP server.
This defeats the central security promise of the project. Code that the user submits is meant to run inside a disposable container, but command injection allows attackers to skip the container entirely and run commands with the privileges of the Node.js server process.
Root Cause
The root cause is missing neutralization of special elements used in a command ([CWE-77]). The server concatenates input parameters into a shell command and executes the result with child_process.execSync instead of passing arguments as a discrete array to a non-shell API such as child_process.spawn with shell: false.
Attack Vector
The attack vector is network-based and requires user interaction, typically through an MCP client or AI agent that forwards attacker-influenced parameters to a sandbox tool. An attacker who can supply a crafted value for an injected parameter (for example, a malicious image tag or container reference) triggers execution of the embedded commands when the server processes the tool call.
// Patch reference: example update from examples/playwright.js in the fix commit
name: 'run_js_ephemeral',
arguments: {
// Use the official MS playwright image
- image: 'mcr.microsoft.com/playwright:v1.52.0-noble',
+ image: 'mcr.microsoft.com/playwright:v1.53.2-noble',
code: `
import { chromium } from 'playwright';
Source: GitHub commit e461a74
Detection Methods for CVE-2025-53372
Indicators of Compromise
- Unexpected child processes (shells, package managers, network utilities) spawned by the Node.js process hosting node-code-sandbox-mcp.
- Shell metacharacters (;, &&, |, `, $()) appearing in MCP tool parameters such as image names or container IDs.
- Outbound network connections from the MCP host that do not match expected Docker registry traffic.
- File system modifications outside of Docker container mount points originating from the server process.
Detection Strategies
- Inspect MCP request logs for tool arguments containing shell metacharacters or non-standard Docker image references.
- Monitor process trees where node parents /bin/sh -c and subsequent non-Docker commands.
- Compare the installed node-code-sandbox-mcp version against 1.3.0 across deployments using package manifests.
Monitoring Recommendations
- Enable command-line argument logging on hosts running MCP servers and forward to a centralized log pipeline.
- Alert on first-seen binaries executed by the MCP server user account.
- Track egress from MCP hosts and flag deviations from the registry and update endpoints they normally contact.
How to Mitigate CVE-2025-53372
Immediate Actions Required
- Upgrade node-code-sandbox-mcp to version 1.3.0 or later in every environment where it is deployed.
- Audit any MCP clients or AI agents that connected to vulnerable versions for evidence of injected commands.
- Restrict network exposure of the MCP server to trusted clients only until the upgrade is verified.
- Run the MCP server under a dedicated low-privilege account that cannot reach sensitive host resources.
Patch Information
The fix is published in version 1.3.0 of node-code-sandbox-mcp. Details are available in GitHub Security Advisory GHSA-5w57-2ccq-8w95 and the remediation commit e461a74.
Workarounds
- If upgrading immediately is not possible, validate and reject any tool parameter containing shell metacharacters before forwarding to the MCP server.
- Place the MCP server inside a restrictive sandbox (rootless container, seccomp, AppArmor) so a successful injection has limited host reach.
- Disable or remove the affected tools from MCP server configuration until the patched release is deployed.
# Upgrade to the patched release
npm install node-code-sandbox-mcp@1.3.0
# Verify the installed version
npm ls node-code-sandbox-mcp
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
