CVE-2025-66401
📋 TL;DR
MCP Watch versions 0.1.2 and earlier contain a critical command injection vulnerability in the MCPScanner class. Attackers can execute arbitrary commands on the host system by injecting shell metacharacters into the githubUrl parameter. This affects all users running vulnerable versions of MCP Watch.
💻 Affected Systems
- MCP Watch
📦 What is this software?
Mcp Watch by Kapilduraphe
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise allowing attacker to execute arbitrary commands with the privileges of the MCP Watch process, potentially leading to data theft, ransomware deployment, or complete host takeover.
Likely Case
Attacker gains shell access to execute commands, install backdoors, exfiltrate data, or pivot to other systems in the network.
If Mitigated
Limited impact if MCP Watch runs with minimal privileges in isolated environments with strict network controls.
🎯 Exploit Status
Exploitation requires access to the vulnerable endpoint but no authentication. The advisory includes technical details that facilitate exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.1.3 or later
Vendor Advisory: https://github.com/kapilduraphe/mcp-watch/security/advisories/GHSA-27m7-ffhq-jqrm
Restart Required: Yes
Instructions:
1. Update MCP Watch to version 0.1.3 or later using npm update mcp-watch. 2. Restart any running MCP Watch instances. 3. Verify the fix by checking the version.
🔧 Temporary Workarounds
Input Validation and Sanitization
allImplement strict input validation to reject URLs containing shell metacharacters before passing to execSync.
Add input validation in cloneRepo method to filter: ; & | $ ` \n \r ( ) < >
Use Child Process with Argument Array
allReplace execSync with spawn or execFile using argument arrays to avoid shell interpretation.
Replace: execSync(`git clone ${githubUrl}`) with: execFileSync('git', ['clone', githubUrl])
🧯 If You Can't Patch
- Restrict network access to MCP Watch instances and run with minimal user privileges.
- Implement application-level firewall rules to block malicious input patterns containing shell metacharacters.
🔍 How to Verify
Check if Vulnerable:
Check package.json for MCP Watch version 0.1.2 or earlier, or examine source code for execSync calls with unsanitized user input in cloneRepo method.Check Version:
npm list mcp-watch | grep mcp-watchVerify Fix Applied:
Verify MCP Watch version is 0.1.3 or later, and check that the commit e7da78c5b4b960f8b66c254059ad9ebc544a91a6 is applied.📡 Detection & Monitoring
Log Indicators:
- Unusual git clone commands with shell metacharacters in logs
- Unexpected child process executions from MCP Watch
Network Indicators:
- Outbound connections from MCP Watch to unexpected destinations following git operations
SIEM Query:
process.name:"node" AND process.args:"git clone" AND process.args:(";" OR "&" OR "|" OR "$" OR "`")