Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionCVE.org
A weakness has been identified in privsim mcp-test-runner 0.2.0. Impacted is the function child_process.spawn of the file src/index.ts of the component MCP Interface. Executing a manipulation of the argument command can lead to os command injection. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
AnalysisAI
OS command injection in privsim mcp-test-runner 0.2.0 allows authenticated remote attackers to execute arbitrary operating system commands via manipulation of the command argument passed to child_process.spawn in the MCP Interface component. The vulnerability affects version 0.2.0 with CVSS 6.3 (network-exploitable, low attack complexity, low-privileged access required). Publicly available exploit code exists and the vendor has not yet responded to early disclosure notification.
Technical ContextAI
The vulnerability exists in the MCP Interface implementation (src/index.ts) where the child_process.spawn function is called with unsanitized user-supplied input in the command argument. The Node.js child_process.spawn API executes commands directly when passed a string rather than properly tokenized arguments, making it susceptible to OS command injection (CWE-78: Improper Neutralization of Special Elements used in an OS Command). The mcp-test-runner package is designed to test Model Context Protocol (MCP) implementations, and the vulnerable code path processes MCP commands without proper input validation or escaping before passing them to the operating system shell.
RemediationAI
No vendor-released patch has been identified at the time of analysis; the project maintainers have not yet responded to the early disclosure notification. Immediate remediation options include: (1) upgrade to a patched version if released after vendor response (monitor https://github.com/privsim/mcp-test-runner for releases); (2) restrict access to mcp-test-runner instances to trusted users only via network segmentation or authentication controls, reducing the PR:L attack surface; (3) implement input validation and sanitization for all command arguments before passing to child_process.spawn, specifically rejecting or escaping shell metacharacters (|, &, ;, $, `, etc.) and enforcing allowlists of permitted commands; (4) run mcp-test-runner with least-privilege operating system accounts to limit the impact of command injection; (5) consider using Node.js APIs that tokenize arguments properly (passing arguments as array to spawn) rather than shell string interpretation if feasible within the application architecture. Monitor VulDB and the GitHub issue (https://github.com/privsim/mcp-test-runner/issues/24) for patch availability.
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26884