Hi,
I'm reporting a critical security vulnerability in terminal-controller-mcp, an open-source Python MCP (Model Context Protocol) server. The repository has been archived by the maintainer (no fix will come), and private disclosure has received no response. I'm posting to seek CVE assignment and to alert users. --- PRODUCT terminal-controller (PyPI: https://pypi.org/project/terminal-controller/) GitHub: https://github.com/GongRzhe/terminal-controller-mcp (ARCHIVED) Maintainer: GongRzhe <[email protected]> AFFECTED VERSIONS All versions ≤ 0.1.9 (current/final version) FIXED VERSIONS None. Repository archived ~2025-06-14. No patch expected. --- VULNERABILITY DESCRIPTION terminal-controller-mcp is an MCP server that allows AI models (e.g., Claude, GPT-4) to execute arbitrary shell commands on the host system. The server passes commands directly to asyncio.create_subprocess_shell() with executable="/bin/bash". The sole security control is a keyword blocklist (terminal_controller.py, lines 115-118): dangerous_commands = ["rm -rf /", "mkfs"] if any(dc in command.lower() for dc in dangerous_commands): return "For security reasons, this command is not allowed." This is trivially bypassed using basic shell features: # Bypass mkfs via command substitution: $(echo mk)fs # Bypass rm -rf / via variable reassembly: a="rm -rf"; b=" /"; $a$b # Bypass via eval + string split: eval "mk""fs /dev/sda" Any restricted command can be constructed via bash's many string manipulation, substitution, and evaluation features. The filter checks the literal input string, not the command that bash will actually execute. --- IMPACT An attacker who can influence the input to this MCP server (e.g., via prompt injection into the connected AI model) can execute arbitrary OS commands on the host. Attack scenarios: - Data destruction (disk wipe, file deletion) - Data exfiltration (curl/wget to attacker-controlled endpoint) - Reverse shell establishment - Lateral movement from the AI agent's host The false sense of security is particularly dangerous: users who rely on the "security measures" advertised in the README are exposed without knowing it. CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS Base Score: 10.0 (Critical) Note on attack vector: MCP servers receive commands from AI models, which may in turn be influenced by external content (prompt injection via web pages, documents, emails processed by the AI). The attacker does not need direct network access to the MCP server. --- PRIOR DISCLOSURE - 2025-09-16: Independently disclosed publicly in GitHub issue #7 by ClementineZsw (https://github.com/GongRzhe/terminal-controller-mcp/issues/7) - 2026-04-11: Additional private disclosure sent to [email protected] — no response received - 2026-04-19: This post (90-day window exceeded; repository abandoned/archived) The vulnerability has been publicly visible in issue #7 since September 2025. This post is to establish a formal CVE record and alert the broader community. --- RECOMMENDATION Do not use terminal-controller-mcp. The architecture (passing arbitrary user- controlled strings to shell=True subprocess) cannot be made safe with blocklist-based filtering. There is no patch and no plan for one. If shell command execution via MCP is required, use a sandboxed environment (container with limited syscalls, restricted filesystem namespace) and implement allowlist-based (not blocklist-based) command validation. --- REFERENCES https://github.com/GongRzhe/terminal-controller-mcp https://github.com/GongRzhe/terminal-controller-mcp/issues/7 https://pypi.org/project/terminal-controller/ --- Håkon Åmdal [email protected]
