Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionGitHub Advisory
Roslyn CodeLens MCP Server is a Roslyn-based MCP server providing semantic code intelligence for .NET codebases. From 0.0.9 to 1.17.0, the get_diagnostics MCP tool loads and executes all DiagnosticAnalyzer assemblies referenced by the target solution without any allowlist, signature check, or user confirmation; includeAnalyzers defaults to true, so no explicit opt-in is required. An attacker who can place a malicious .csproj referencing an attacker-controlled DLL in a location the victim opens with the MCP server will achieve arbitrary code execution in the server process with the server's OS privileges. This vulnerability is fixed in 1.17.0.
AnalysisAI
Arbitrary code execution in Roslyn CodeLens MCP Server versions 0.0.9 through 1.17.0 allows attackers to run code in the MCP server process by tricking a victim into opening a malicious .NET solution. The get_diagnostics tool automatically loads and executes any DiagnosticAnalyzer DLL referenced by a .csproj without allowlist, signature validation, or user prompt, and includeAnalyzers defaults to true. No public exploit identified at time of analysis, but the attack pattern (malicious project file + attacker-controlled DLL) is well understood and trivial to weaponize.
Technical ContextAI
Roslyn is Microsoft's open-source .NET compiler platform; it allows third-party DiagnosticAnalyzer assemblies to be referenced from a project (.csproj) and loaded into the compilation pipeline to surface custom warnings and code intelligence. The Model Context Protocol (MCP) is an emerging standard for exposing tools and data to LLM-driven agents, and this server bridges Roslyn diagnostics into that ecosystem. The vulnerability is rooted in CWE-94 (Improper Control of Generation of Code) because the get_diagnostics tool treats analyzer DLL references in untrusted .csproj files as trusted code to execute in-process. CPE cpe:2.3:a:marcelroozekrans:roslyn-codelens-mcp identifies the single affected implementation.
RemediationAI
Vendor-released patch: upgrade to Roslyn CodeLens MCP Server 1.17.0 or later, per the GitHub Security Advisory at https://github.com/MarcelRoozekrans/roslyn-codelens-mcp/security/advisories/GHSA-552p-8f74-6x7q. If an immediate upgrade is not possible, invoke get_diagnostics with includeAnalyzers explicitly set to false to suppress analyzer loading (trade-off: you lose custom analyzer diagnostics from the response). As a structural workaround, only point the MCP server at solutions from trusted sources and avoid opening freshly cloned third-party repositories until upgraded; running the MCP server under a least-privileged OS account or inside a sandbox/container limits the blast radius of any analyzer DLL execution but does not prevent it.
Same weakness CWE-94 – Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33302