CVE-2026-5125 Overview
A command injection vulnerability has been identified in raine consult-llm-mcp versions up to 2.5.3. The vulnerability exists in the child_process.execSync function within the src/server.ts file. Attackers with local access can manipulate the git_diff.base_ref or git_diff.files arguments to inject arbitrary operating system commands. The exploit for this vulnerability is publicly available, increasing the risk of exploitation in the wild.
Critical Impact
Local attackers can execute arbitrary OS commands through unsanitized input in the git_diff functionality, potentially leading to system compromise, data theft, or lateral movement within the network.
Affected Products
- raine consult-llm-mcp versions up to 2.5.3
- Systems running Node.js applications with vulnerable consult-llm-mcp dependency
- Development environments using consult-llm-mcp for LLM consultation workflows
Discovery Timeline
- 2026-03-30 - CVE-2026-5125 published to NVD
- 2026-04-01 - Last updated in NVD database
Technical Details for CVE-2026-5125
Vulnerability Analysis
This vulnerability is classified as CWE-77 (Command Injection), a critical class of security flaws where user-controlled input is passed directly to system command execution functions without proper sanitization. In consult-llm-mcp, the child_process.execSync function in src/server.ts processes the git_diff.base_ref and git_diff.files parameters without adequately validating or escaping the input.
The attack requires local access to the system, which limits the attack surface but still poses significant risk in shared development environments, CI/CD pipelines, or compromised workstations. When exploited, an attacker can execute arbitrary commands with the privileges of the Node.js process running the MCP server.
Root Cause
The root cause is improper input validation and sanitization of user-supplied arguments before passing them to the child_process.execSync function. The git_diff.base_ref and git_diff.files parameters are directly interpolated into shell commands without escaping special characters or validating the input format, allowing command injection through shell metacharacters.
Attack Vector
The attack is executed locally by supplying malicious input to the git_diff.base_ref or git_diff.files parameters. An attacker can craft input containing shell metacharacters (such as ;, |, &&, or backticks) that break out of the intended command context and execute arbitrary commands. For example, providing a base_ref value like main; whoami would execute the whoami command after the legitimate git operation.
The vendor addressed this vulnerability by performing a complete rewrite of the codebase in Rust, eliminating the vulnerable TypeScript/Node.js code entirely:
.claude
.workmux
-node_modules
-dist
-tsconfig.tsbuildinfo
-src/version.ts
-test
+target/
history
Source: GitHub Commit
The patch removes the Node.js project structure (node_modules, dist, TypeScript configuration) and replaces it with a Rust-based implementation (target directory), eliminating the vulnerable child_process.execSync code path entirely.
Detection Methods for CVE-2026-5125
Indicators of Compromise
- Unusual command execution patterns originating from Node.js processes running consult-llm-mcp
- Unexpected child processes spawned by the MCP server application
- Log entries showing git_diff operations with suspicious special characters in base_ref or files parameters
- Process execution chains indicating shell breakout attempts (e.g., node → sh → malicious_command)
Detection Strategies
- Monitor process creation events for child processes spawned by Node.js applications with suspicious command-line arguments
- Implement application-level logging to capture all git_diff parameter values before execution
- Use endpoint detection tools to identify command injection patterns in process arguments
- Deploy file integrity monitoring on systems running vulnerable consult-llm-mcp versions
Monitoring Recommendations
- Enable verbose logging for the consult-llm-mcp application to capture input parameters
- Configure SIEM rules to alert on shell metacharacters in application logs related to git operations
- Monitor for unexpected network connections or file system modifications following MCP server requests
- Implement runtime application self-protection (RASP) to detect command injection attempts
How to Mitigate CVE-2026-5125
Immediate Actions Required
- Upgrade consult-llm-mcp to version 2.5.4 or later immediately
- Audit systems for any signs of exploitation if running vulnerable versions
- Review application logs for suspicious git_diff parameter values
- Restrict local access to systems running the vulnerable MCP server
Patch Information
The vulnerability has been addressed in version 2.5.4 of consult-llm-mcp. The patch is identified by commit hash 4abf297b34e5e8a9cb364b35f52c5f0ca1d599d3. The fix involves a complete rewrite of the application in Rust, which eliminates the vulnerable Node.js code path. Users should upgrade to version 2.5.4 or later by downloading from the official GitHub release.
Additional resources:
Workarounds
- If immediate upgrade is not possible, restrict local access to systems running consult-llm-mcp
- Implement network segmentation to isolate systems running vulnerable versions
- Disable or block the git_diff functionality if not required for operations
- Deploy application-layer firewalls or input validation proxies to filter malicious input patterns
# Upgrade to patched version
npm update consult-llm-mcp@2.5.4
# Verify installed version
npm list consult-llm-mcp
# Alternative: Install specific patched version
npm install consult-llm-mcp@2.5.4 --save
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
