CVE-2025-54073 Overview
CVE-2025-54073 is a command injection vulnerability in mcp-package-docs, a Model Context Protocol (MCP) server that gives large language models (LLMs) access to package documentation and language server protocol (LSP) capabilities. The server passes unsanitized user input directly to child_process.exec, allowing attackers to inject shell metacharacters such as |, >, and && into command strings. Successful exploitation results in arbitrary command execution under the privileges of the server process. The flaw is tracked as CWE-77: Improper Neutralization of Special Elements used in a Command.
Critical Impact
Attackers who can supply input to vulnerable MCP tool calls can achieve remote code execution on the host running the mcp-package-docs server, exposing developer workstations and CI/CD environments connected to LLM agents.
Affected Products
- mcp-package-docs versions prior to 0.1.27
- mcp-package-docs 0.1.27 (partial fix in commit cb4ad49615275379fd6f2f1cf1ec4731eec56eb9)
- Upgrade to mcp-package-docs 0.1.28 is recommended
Discovery Timeline
- 2025-07-18 - CVE-2025-54073 published to the National Vulnerability Database (NVD)
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-54073
Vulnerability Analysis
The mcp-package-docs server exposes MCP tools that look up package documentation across multiple language ecosystems. To retrieve documentation, the server builds shell command strings using parameters supplied by an MCP client and executes them through Node.js child_process.exec. Because exec spawns a shell, any unescaped metacharacter in the input is interpreted by /bin/sh. An attacker who controls a parameter such as a package name can append an arbitrary command using ;, |, &&, or backticks. The injected command runs with the same privileges as the MCP server process.
In practical deployments, MCP servers often run on developer machines or build agents alongside source code, SSH keys, and cloud credentials. A malicious package name returned by an upstream tool, a prompt-injection payload steered into the parameter, or a hostile MCP client can each trigger execution.
Root Cause
The root cause is the construction of shell command lines via string concatenation with untrusted input, then passing the result to child_process.exec rather than to child_process.execFile or child_process.spawn with an argument array. No allow-listing or shell escaping is performed on inputs before they are interpolated into the command string.
Attack Vector
Exploitation requires the attacker to influence an input parameter consumed by a vulnerable MCP tool call. Network reachability to the MCP transport plus user interaction by an LLM agent that invokes the tool are sufficient to trigger the flaw. The vulnerability is particularly relevant in agentic workflows where untrusted content (web pages, repository contents, third-party tool output) is fed into prompts that drive tool calls.
// Patch context from commit cb4ad49615275379fd6f2f1cf1ec4731eec56eb9 (tsconfig.json)
{
"compilerOptions": {
"target": "ES2022",
- "module": "Node16",
- "moduleResolution": "Node16",
+ "module": "node16",
+ "moduleResolution": "node16",
+ "lib": ["ES2022"],
"outDir": "./build",
"rootDir": "./src",
"strict": true,
"esModuleInterop": true,
"skipLibCheck": true,
- "forceConsistentCasingInFileNames": true
+ "forceConsistentCasingInFileNames": true,
+ "allowSyntheticDefaultImports": true
},
"include": ["src/**/*"],
"exclude": ["node_modules"]
Source: GitHub Commit cb4ad49. The full patch removes unsafe exec usage in the tool handlers; the snippet above shows the accompanying build configuration change shipped with the fix.
Detection Methods for CVE-2025-54073
Indicators of Compromise
- Unexpected child processes spawned by the Node.js process hosting mcp-package-docs, particularly shells such as sh, bash, or cmd.exe invoking commands unrelated to package lookups.
- Outbound network connections from the MCP server host to attacker-controlled infrastructure shortly after MCP tool invocations.
- New files written under user home directories, /tmp, or build workspaces immediately following an MCP lookup_* tool call.
Detection Strategies
- Inventory MCP servers across developer endpoints and CI runners and flag any version of mcp-package-docs below 0.1.28.
- Hunt for process trees where node is the parent of sh -c invocations containing shell metacharacters in the command line.
- Correlate MCP transport logs (stdio or HTTP) with process creation events to identify tool calls that result in non-documentation processes.
Monitoring Recommendations
- Enable command-line auditing on hosts that run MCP servers and forward events to a centralized analytics platform.
- Alert on Node.js processes spawning interpreters such as curl, wget, powershell, or python without an established baseline.
- Track package and dependency changes for MCP-related npm modules using software composition analysis (SCA) tooling.
How to Mitigate CVE-2025-54073
Immediate Actions Required
- Upgrade mcp-package-docs to version 0.1.28 on every host where it is installed, including developer laptops, build agents, and shared MCP gateways.
- Restart any LLM agent or IDE integration that previously loaded the vulnerable server so the patched binary is loaded.
- Review process and authentication logs for the period prior to upgrade for signs of injected commands.
Patch Information
The vulnerability was first addressed in commit cb4ad49615275379fd6f2f1cf1ec4731eec56eb9, released as version 0.1.27. The maintainer recommends upgrading to version 0.1.28, which contains the complete fix. See the GitHub Security Advisory GHSA-vf9j-h32g-2764 and the v0.1.28 release notes for full details.
Workarounds
- Disable or uninstall mcp-package-docs until the upgrade is applied, especially in environments where LLM agents process untrusted content.
- Restrict the MCP server to run under a least-privileged user account with no access to source repositories, SSH keys, or cloud credentials.
- Apply prompt-injection mitigations in upstream LLM agents to limit attacker influence over tool-call parameters.
# Upgrade the package to the fixed release
npm install -g mcp-package-docs@0.1.28
# Verify the installed version
npm list -g mcp-package-docs
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
