DesktopCommanderMCP
CVE-2025-11490
LOW
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability has been found in wonderwhy-er DesktopCommanderMCP up to 0.2.13. The affected element is the function extractBaseCommand of the file src/command-manager.ts of the component Absolute Path Handler. Such manipulation leads to os command injection. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. The vendor explains: "The usual use case is that AI is asked to do something, picks commands itself, and typically uses simple command names without absolute paths. It's curious why a user would ask the model to bypass restrictions this way. (...) This could potentially be a problem, but we are yet to hear reports of this being an issue in actual workflows. We'll leave this issue open for situations where people may report this as a problem for the long term."
AnalysisAI
OS command injection in DesktopCommanderMCP up to version 0.2.13 allows authenticated remote attackers to execute arbitrary operating system commands via the extractBaseCommand function in src/command-manager.ts when processing absolute file paths. The vulnerability requires authentication and has limited real-world impact scope, reflected in a low CVSS score of 2.1 and EPSS of 0.15%, though publicly available exploit code exists and the vendor acknowledges the issue remains unfixed pending real-world incident reports.
Technical ContextAI
DesktopCommanderMCP is a Model Context Protocol (MCP) server that executes system commands on behalf of AI models. The vulnerability exists in the Absolute Path Handler component's extractBaseCommand function (src/command-manager.ts), which fails to properly sanitize or validate absolute file paths before using them in OS command execution. CWE-77 (Improper Neutralization of Special Elements used in a Command) indicates the root cause is insufficient input validation when constructing shell commands from user-supplied or AI-generated paths. The vulnerability allows injection of shell metacharacters or command separators (semicolon, pipe, ampersand, backticks, etc.) into what should be a simple command name extraction operation.
RemediationAI
No vendor-released patch is available at time of analysis. The primary mitigation is to upgrade to a version newer than 0.2.13 once available, or restrict authenticated access to DesktopCommanderMCP to only trusted users who will not attempt absolute-path-based command injection. In the interim, apply network-level access controls to limit who can authenticate to the MCP server, deploy input validation rules at the API gateway to reject requests containing shell metacharacters in path parameters, or disable the absolute path handler component if not required for operational workflows. Alternatively, run DesktopCommanderMCP in a restricted OS user context or sandboxed container with minimal privileges to limit command execution scope. Monitor for GitHub repository updates or tagged releases from the wonderwhy-er project for security patches.
Share
External POC / Exploit Code
Leaving vuln.today