CVE-2025-66401: Critical Command Injection Vulnerability Exposes MCP Watch Users

Overview

CVE-2025-66401 describes a critical command injection vulnerability found in MCP Watch version 0.1.2 and earlier. MCP Watch is a security scanner designed for Model Context Protocol (MCP) servers. This vulnerability allows an attacker to execute arbitrary commands on the host machine, potentially leading to complete system compromise.

Technical Details

The vulnerability resides within the cloneRepo method of the MCPScanner class. This method takes a githubUrl argument provided by the user and passes it directly to the operating system shell via the execSync function. Crucially, the application fails to sanitize or validate this user-supplied input before executing the command. By appending shell metacharacters (e.g., ;, |, &&, ||) to the URL, an attacker can inject arbitrary commands that will be executed with the privileges of the user running the MCP Watch application. For example, a malicious URL such as https://github.com/example/repo; rm -rf / could lead to devastating consequences.

CVSS Analysis

• Severity: CRITICAL
• CVSS Score: 9.8

A CVSS score of 9.8 indicates the highest level of severity. This reflects the ease of exploitation and the potentially catastrophic impact of a successful attack. The vulnerability is remotely exploitable, requires no user interaction (beyond providing a malicious URL), and allows for complete system compromise.

Possible Impact

The exploitation of this vulnerability could have severe consequences, including:

• Complete system compromise: An attacker can gain full control of the server running MCP Watch.
• Data exfiltration: Sensitive data stored on the server can be stolen.
• Malware installation: The attacker can install malware, such as ransomware or cryptominers.
• Denial of service: The attacker can crash the server, rendering it unavailable.
• Lateral movement: If the compromised server has access to other systems on the network, the attacker can use it as a springboard to compromise those systems as well.

Mitigation and Patch Steps

The vulnerability has been addressed in a patch. Users of MCP Watch version 0.1.2 and earlier are strongly advised to take the following steps:

1. Upgrade to a patched version: Check the MCP Watch GitHub repository for the latest version that includes the fix. Unfortunately, as of this writing, there does not appear to be a newer version released by the maintainers.
2. Temporary Mitigation (If Upgrade is Not Possible):
   • Input Validation: Carefully validate and sanitize any githubUrl provided to MCP Watch. Reject any URLs containing shell metacharacters. This is NOT a complete solution and should only be used as a temporary measure until a proper patch is available.
   • Restrict Permissions: Run the MCP Watch application with the least privileges necessary. This will limit the damage an attacker can cause if the vulnerability is exploited.

Important Note: It is highly recommended to closely monitor the MCP Watch repository and security advisories for official updates and patches. Implementing temporary mitigations is not a substitute for a proper patch.

References

• CVE ID: CVE-2025-66401
• Commit Patch: https://github.com/kapilduraphe/mcp-watch/commit/e7da78c5b4b960f8b66c254059ad9ebc544a91a6
• GitHub Security Advisory: https://github.com/kapilduraphe/mcp-watch/security/advisories/GHSA-27m7-ffhq-jqrm