CVE-2025-35028
📋 TL;DR
This vulnerability allows remote command injection in the HexStrike AI MCP server. Attackers can execute arbitrary commands with root privileges by sending specially crafted command-line arguments starting with a semicolon to an API endpoint. This affects all deployments using the default configuration of the vulnerable version.
💻 Affected Systems
- HexStrike AI MCP server
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with root-level access, allowing attackers to install persistent backdoors, exfiltrate sensitive data, or pivot to other systems.
Likely Case
Unauthorized command execution leading to data theft, service disruption, or lateral movement within the network.
If Mitigated
Limited impact if proper network segmentation and least-privilege controls are implemented, though command injection would still be possible.
🎯 Exploit Status
Exploitation requires sending a crafted request to the vulnerable API endpoint; no authentication is needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: https://github.com/0x4m4/hexstrike-ai/issues/115
Restart Required: Yes
Instructions:
1. Monitor the GitHub issue for patches. 2. Apply the official patch when available. 3. Restart the MCP server service.
🔧 Temporary Workarounds
Input Validation Filter
allImplement input validation to reject command-line arguments starting with semicolons or other shell metacharacters.
# Modify EnhancedCommandExecutor class to sanitize inputs
# Example: if arg.startswith(';'): raise ValidationError
Network Access Restriction
linuxRestrict network access to the MCP server API endpoint using firewall rules.
iptables -A INPUT -p tcp --dport <MCP_PORT> -s <TRUSTED_IPS> -j ACCEPT
iptables -A INPUT -p tcp --dport <MCP_PORT> -j DROP
🧯 If You Can't Patch
- Disable or remove the EnhancedCommandExecutor API endpoint if not required.
- Run the MCP server with reduced privileges (non-root) using containerization or user isolation.
🔍 How to Verify
Check if Vulnerable:
Test by sending a request with a command-line argument starting with ';' to the API endpoint and observing if arbitrary commands execute.Check Version:
Check the commit hash or version string in the MCP server configuration or logs.Verify Fix Applied:
Verify that input validation rejects semicolon-prefixed arguments and no commands execute when tested.📡 Detection & Monitoring
Log Indicators:
- Unusual command executions in server logs
- API requests containing semicolons in arguments
- Error messages related to command injection attempts
Network Indicators:
- HTTP requests to the API endpoint with semicolon-prefixed parameters
- Unusual outbound connections from the MCP server
SIEM Query:
source="mcp_server.log" AND ("semicolon" OR "command injection" OR "EnhancedCommandExecutor")