CVE-2026-30625 Overview
CVE-2026-30625 is a critical remote code execution (RCE) vulnerability affecting Upsonic version 0.71.6. The flaw exists within the MCP (Model Context Protocol) server and task creation functionality, where users can define MCP tasks with arbitrary command and argument values. While the application implements an allowlist mechanism to restrict executable commands, the allowlist permits certain commands such as npm and npx that accept argument flags capable of executing arbitrary operating system commands. Successful exploitation enables attackers to achieve remote code execution with the privileges of the Upsonic process.
Critical Impact
Attackers can bypass command allowlist restrictions using npm/npx argument injection to execute arbitrary OS commands, potentially leading to full system compromise with the privileges of the Upsonic process.
Affected Products
- Upsonic version 0.71.6 and earlier versions
- Upsonic MCP server deployments with Stdio server configurations
- Systems running Upsonic with npm/npx in the command allowlist
Discovery Timeline
- 2026-04-15 - CVE CVE-2026-30625 published to NVD
- 2026-04-16 - Last updated in NVD database
Technical Details for CVE-2026-30625
Vulnerability Analysis
This vulnerability represents a classic Command Injection weakness (CWE-77) where user-controlled input is passed to system command execution without adequate sanitization. The Upsonic MCP server allows users to configure tasks that execute system commands. While the developers implemented an allowlist to restrict which commands can be executed, the allowlist includes npm and npx commands. These package manager executables accept argument flags such as --exec or -c that can be leveraged to run arbitrary shell commands, effectively bypassing the intended security controls.
The attack surface is network-accessible, requiring no authentication or user interaction for exploitation. This design flaw allows remote attackers to craft malicious MCP task definitions that abuse the permitted npm/npx commands to execute arbitrary code on the underlying operating system.
Root Cause
The root cause is improper input validation (CWE-77 - Command Injection) in the MCP task creation functionality. The allowlist implementation only validates the base command name without considering that certain allowed commands (npm, npx) can invoke arbitrary subcommands through their argument processing. The application fails to sanitize or restrict the args parameter values passed to these commands, allowing attackers to inject malicious arguments that result in command execution.
Attack Vector
The attack vector is network-based, targeting the MCP server endpoint. An attacker can exploit this vulnerability by:
- Crafting an MCP task definition with npm or npx as the command
- Supplying malicious arguments such as --exec "malicious_command" to execute arbitrary OS commands
- The Upsonic process executes the command with its own privileges, granting the attacker code execution
The vulnerability is particularly dangerous in environments where Upsonic runs with elevated privileges or has access to sensitive data and systems.
# Example from security patch showing new autonomous agent functionality
# Source: https://github.com/Upsonic/Upsonic/commit/855053fce0662227d9246268ff4a0844b481a305
def _get_RalphLoop():
return _lazy_import("upsonic.ralph.loop", "RalphLoop")()
+def _get_AutonomousAgent():
+ return _lazy_import("upsonic.agent.autonomous_agent.autonomous_agent", "AutonomousAgent")()
+
def hello() -> str:
return "Hello from upsonic!"
The patch introduces new autonomous agent functionality with updated module imports:
# Updated agent imports from security patch
# Source: https://github.com/Upsonic/Upsonic/commit/855053fce0662227d9246268ff4a0844b481a305
from .agent import Agent
from .base import BaseAgent
from .deepagent import DeepAgent
+ from .autonomous_agent import (
+ AutonomousAgent,
+ AutonomousFilesystemToolKit,
+ AutonomousShellToolKit,
+ )
from upsonic.run.events.events import (
AgentEvent,
PipelineStartEvent,
Detection Methods for CVE-2026-30625
Indicators of Compromise
- Unusual MCP task definitions containing npm or npx commands with suspicious argument patterns
- Process execution logs showing npm/npx spawning unexpected child processes
- Network connections originating from the Upsonic process to unknown external destinations
- Unexpected file system modifications or new files created by the Upsonic process
Detection Strategies
- Monitor for MCP task creation requests containing npm or npx with --exec, -c, or similar argument injection patterns
- Implement logging for all system command executions initiated by the Upsonic MCP server
- Deploy network monitoring to detect anomalous outbound connections from the Upsonic process
- Use process monitoring to identify npm/npx commands executing unexpected subprocesses
Monitoring Recommendations
- Enable verbose logging for MCP task creation and execution events
- Implement alerting for any npm or npx command execution with non-standard arguments
- Deploy file integrity monitoring on systems running Upsonic to detect unauthorized modifications
- Monitor system resource usage for signs of cryptocurrency mining or other malicious activity
How to Mitigate CVE-2026-30625
Immediate Actions Required
- Upgrade Upsonic to version 0.72.0 or later which includes a warning about Stdio server command execution risks
- Review and remove npm and npx from the command allowlist if not required for legitimate functionality
- Audit existing MCP task definitions for potentially malicious command configurations
- Restrict network access to the MCP server endpoint to trusted sources only
Patch Information
Upsonic version 0.72.0 addresses this vulnerability by adding explicit warnings about Stdio servers being able to execute commands directly on the machine. The security patch is available in the GitHub commit 855053fce0662227d9246268ff4a0844b481a305. Organizations should upgrade to the latest version and review the Ox Security Supply Chain Advisory for additional context on MCP-related RCE vulnerabilities.
Workarounds
- Remove npm and npx from the MCP server command allowlist entirely
- Implement additional argument validation to block potentially dangerous flags like --exec, -c, or shell metacharacters
- Run the Upsonic process with minimal privileges using a dedicated service account
- Deploy network segmentation to isolate Upsonic instances from critical infrastructure
# Configuration example - Restrict Upsonic process privileges
# Run Upsonic with a dedicated low-privilege user
useradd -r -s /sbin/nologin upsonic_svc
chown -R upsonic_svc:upsonic_svc /opt/upsonic
# Configure systemd service with restricted permissions
# Add to [Service] section of upsonic.service:
User=upsonic_svc
Group=upsonic_svc
NoNewPrivileges=true
ProtectSystem=strict
ProtectHome=true
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
