Cyber Posture

CVE-2025-66401

CriticalPublic PoC

Published: 01 December 2025

Published
01 December 2025
Modified
06 February 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0098 76.9th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

MCP Watch is a comprehensive security scanner for Model Context Protocol (MCP) servers. In 0.1.2 and earlier, the MCPScanner class contains a critical Command Injection vulnerability in the cloneRepo method. The application passes the user-supplied githubUrl argument directly to a…

more

system shell via execSync without sanitization. This allows an attacker to execute arbitrary commands on the host machine by appending shell metacharacters to the URL.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly prevents command injection by requiring validation and sanitization of user-supplied inputs like githubUrl before passing to execSync.

SI-2 Flaw Remediation good match
prevent

Mandates timely remediation of the specific command injection flaw in MCP Watch versions 0.1.2 and earlier via patching.

AC-6 Least Privilege partial match
prevent

Limits the scope and impact of arbitrary command execution resulting from the injection by enforcing least privilege on the hosting process.

Security SummaryAI

CVE-2025-66401 is a critical command injection vulnerability (CWE-78) in MCP Watch, a comprehensive security scanner for Model Context Protocol (MCP) servers, affecting versions 0.1.2 and earlier. The issue exists in the MCPScanner class's cloneRepo method, where the user-supplied githubUrl argument is passed directly to a system shell via execSync without any sanitization. This flaw enables attackers to execute arbitrary commands on the host machine by appending shell metacharacters to the URL. The vulnerability has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility and high impact on confidentiality, integrity, and availability.

Remote attackers require no privileges or user interaction to exploit this vulnerability, making it accessible over the network with low attack complexity. By supplying a crafted githubUrl to the cloneRepo method, an attacker can inject and execute arbitrary shell commands on the underlying host system, potentially leading to full compromise including data theft, persistence, or further lateral movement.

Mitigation details are provided in the GitHub security advisory at https://github.com/kapilduraphe/mcp-watch/security/advisories/GHSA-27m7-ffhq-jqrm and the patching commit at https://github.com/kapilduraphe/mcp-watch/commit/e7da78c5b4b960f8b66c254059ad9ebc544a91a6. Security practitioners should ensure MCP Watch instances are updated beyond version 0.1.2 to address the unsanitized execSync usage.

Details

CWE(s)
CWE-78

Affected Products

kapilduraphe
mcp watch
≤ 0.1.2

AI Security AnalysisAI

AI Category
AI Agent Protocols and Integrations
Risk Domain
Protocol-Specific Risks
OWASP Top 10 for LLMs 2025
None mapped
MITRE ATLAS Techniques
None mapped
Classification Reason
MCP Watch is a security scanner specifically for Model Context Protocol (MCP) servers, which relates to AI agent protocols and integrations for handling model contexts in AI systems.

MITRE ATT&CK Enterprise TechniquesAI

T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
attack.mitre.org →
Why these techniques?

The command injection vulnerability allows attackers to execute arbitrary commands on the host by injecting shell metacharacters into the unsanitized githubUrl parameter passed to execSync (T1059).

References