Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
10DescriptionCVE.org
A security vulnerability has been detected in tufantunc ssh-mcp up to 1.5.0. The affected element is the function shell.write of the file src/index.ts. Such manipulation of the argument Description leads to command injection. The attack must be carried out locally. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.
AnalysisAI
Command injection in ssh-mcp versions up to 1.5.0 allows authenticated local users to execute arbitrary OS commands via the Description parameter to the shell.write function in src/index.ts. Publicly available exploit code exists (GitHub issue #44) demonstrating the vulnerability. Despite CVSS 7.1 severity, real-world risk is moderate due to local-only attack vector and low EPSS score (0.06%, 18th percentile), indicating minimal observed exploitation attempts. Vendor has not responded to early disclosure via issue report.
Technical ContextAI
ssh-mcp is a Model Context Protocol (MCP) server implementation for SSH connections. The vulnerability resides in the shell.write function within src/index.ts, where user-supplied input through the Description argument is passed unsanitized to shell execution functions. This is a classic CWE-77 command injection flaw where special characters or shell metacharacters in the Description parameter can break out of the intended command context and execute arbitrary system commands. The affected code path involves the MCP server processing client-supplied parameters without proper input validation or sanitization before invoking shell operations. All versions from 1.0 through 1.5.0 are confirmed vulnerable per EUVD product enumeration (CPE: cpe:2.3:a:tufantunc:ssh-mcp:*:*:*:*:*:*:*:*).
RemediationAI
No vendor-released patch identified at time of analysis. The project maintainer has not responded to the vulnerability disclosure made via GitHub issue #44, suggesting potential project abandonment or lack of active maintenance. Organizations using ssh-mcp should immediately assess exposure and implement compensating controls. Primary mitigation: restrict ssh-mcp deployment to single-user or fully-trusted environments where all users have equivalent privilege levels, eliminating command injection impact since attackers already possess equivalent access. Secondary mitigation: implement operating system-level restrictions using mandatory access control (MAC) frameworks like SELinux or AppArmor to confine the ssh-mcp process to a restricted security context, preventing injected commands from accessing sensitive resources (trade-off: requires expertise to configure and may break legitimate functionality). Tertiary option: conduct code review of src/index.ts shell.write function and apply local patch to sanitize Description parameter using allowlists for permitted characters or migrate to parameterized command execution APIs (trade-off: requires ongoing maintenance for upstream updates and testing). Long-term recommendation: evaluate migration to actively-maintained alternatives for SSH-based MCP server implementations, given vendor non-responsiveness indicates potential end-of-life status for this project.
Same weakness CWE-77 – Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25716