Wezterm Mcp
Monthly
OS command injection in wezterm-mcp 0.1.0 allows a remotely authenticated attacker with low privileges to execute arbitrary shell commands by supplying a crafted pane_id argument to the switch_pane or write_to_specific_pane MCP tool handlers. The unsanitized parameter is passed directly to a shell invocation in src/wezterm_executor.ts, giving an MCP client - such as an AI assistant or automation pipeline - the ability to break out of intended terminal pane management and run arbitrary commands in the host user's context. Publicly available exploit code exists per a GitHub issue report; no patch has been released as the vendor has not responded to the disclosure.
OS command injection in wezterm-mcp 0.1.0 allows a remotely authenticated attacker with low privileges to execute arbitrary shell commands by supplying a crafted pane_id argument to the switch_pane or write_to_specific_pane MCP tool handlers. The unsanitized parameter is passed directly to a shell invocation in src/wezterm_executor.ts, giving an MCP client - such as an AI assistant or automation pipeline - the ability to break out of intended terminal pane management and run arbitrary commands in the host user's context. Publicly available exploit code exists per a GitHub issue report; no patch has been released as the vendor has not responded to the disclosure.