Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionGitHub Advisory
Lumiverse is a full-featured AI chat application. Prior to 0.9.7, the MCP server creation endpoint validates the command field against an allowlist of binary names but forwards the args array to the child process without any validation. Every binary on the allowlist accepts an inline-code execution flag (-e for node/bun, -c for python3/deno), giving any logged-in user arbitrary OS-level code execution on the Lumiverse server. The route requires only requireAuth (not requireOwner). The server binds on all interfaces (::) and the host-header rebinding check is bypassed trivially by any HTTP client that sends Host: localhost:<port> directly, making this exploitable from any machine with network access to the server port. This vulnerability is fixed in 0.9.7.
AnalysisAI
Remote code execution in Lumiverse AI chat application prior to 0.9.7 allows any authenticated user to run arbitrary OS-level commands on the server by abusing the MCP server creation endpoint. Although the endpoint allowlists binary names (node, bun, python3, deno), it forwards user-controlled args unfiltered to the child process, and every allowed binary supports inline code execution flags (-e or -c). No public exploit identified at time of analysis, but the CVSS 9.9 rating reflects the trivial exploit path and the fact that the server binds on all interfaces with a bypassable host-header rebinding check.
Technical ContextAI
Lumiverse is a full-featured AI chat application (CPE cpe:2.3:a:prolix-oc:lumiverse) that exposes an HTTP endpoint for spawning Model Context Protocol (MCP) child processes. The root cause maps to CWE-88 (Improper Neutralization of Argument Delimiters in a Command, a.k.a. Argument Injection): the server treats the command name as the only security boundary and trusts the args array verbatim. Because the allowlisted interpreters (Node.js, Bun, Python 3, Deno) all natively accept inline-code flags, the allowlist provides no real protection. Compounding this, the route is guarded only by requireAuth (not requireOwner), the listener binds on dual-stack wildcard (::), and the host-header check that was intended to restrict access to localhost can be defeated by any client that sets Host: localhost:<port> in its request - collapsing what should have been a localhost-only management endpoint into a network-reachable one.
RemediationAI
Vendor-released patch: upgrade to Lumiverse 0.9.7 or later, which is the authoritative fix per GHSA-mfwv-ch2f-9j5v (https://github.com/prolix-oc/Lumiverse/security/advisories/GHSA-mfwv-ch2f-9j5v). If immediate upgrade is not possible, place the Lumiverse server behind a reverse proxy or firewall rule that strictly limits inbound access to trusted operator addresses and rejects requests where the Host header does not match the externally expected hostname, since the application's built-in host-header check is bypassable. As an additional compensating control, bind the listener to 127.0.0.1 instead of :: so the MCP creation endpoint is not network-reachable, accepting the trade-off that remote browser access will then require an authenticated tunnel or proxy. Audit and tighten the user account model - disable open registration and review existing low-privilege accounts - because the route only enforces requireAuth, so any authenticated user can reach it.
Sandbox escape in Lumiverse AI chat application versions prior to 0.9.7 allows remote attackers to execute arbitrary Jav
Host-level code execution in Lumiverse AI chat application (versions prior to 0.9.7) allows admin-authenticated attacker
Argument injection in Lumiverse AI chat application before version 0.9.7 enables authenticated high-privilege attackers
Lumiverse's sign-up nonce mechanism prior to version 0.9.7 allows unauthenticated remote attackers to register unauthori
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31978