Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
A vulnerability was found in 54yyyu code-mcp up to 4cfc4643541a110c906d93635b391bf7e357f4a8. The impacted element is the function git_operation of the file src/code_mcp/server.py of the component MCP Tool. Performing a manipulation of the argument operation results in command injection. The attack can be initiated remotely. The exploit has been made public and could be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet.
AnalysisAI
Command injection in code-mcp's git_operation function allows remote attackers to execute arbitrary system commands by manipulating the operation argument. The vulnerability affects all versions up to commit 4cfc4643541a110c906d93635b391bf7e357f4a8 and has publicly available exploit code. Continuous delivery model means no versioned releases exist, complicating patching timelines.
Technical ContextAI
The MCP Tool component in src/code_mcp/server.py implements a git_operation function that processes user-supplied operation arguments without proper sanitization. This is a classic CWE-77 (Improper Neutralization of Special Elements used in a Command) vulnerability where unsanitized input is passed to shell execution, likely via Python's subprocess or os.system calls. The git_operation function likely constructs shell commands dynamically using the operation parameter, enabling injection of arbitrary commands within the git execution context. The remote network attack vector indicates the MCP server exposes this functionality via network-accessible RPC or API endpoints.
RemediationAI
Pull the latest commit from the main repository (https://github.com/54yyyu/code-mcp/) to obtain any available fixes; however, vendor response is pending as of the report date. The recommended immediate mitigation is to restrict network access to the code-mcp MCP server to trusted internal networks only, blocking direct remote exposure. Implement input validation by whitelist-matching the operation argument against a fixed set of allowed git subcommands (e.g., 'clone', 'pull', 'push', 'fetch') and reject any operation containing shell metacharacters (|, ;, &, $, `, parentheses, redirects). This validation must occur in the git_operation function before any command construction. Alternatively, refactor git_operation to use Python's subprocess module with shell=False and pass arguments as a list rather than concatenating strings - this prevents shell injection entirely. Monitor the GitHub issue (https://github.com/54yyyu/code-mcp/issues/5) for vendor patches. Until a patched version is available, isolate code-mcp instances to air-gapped or segmented networks.
Same weakness CWE-77 – Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27217