CVE-2025-11285

Summary

A vulnerability was found in samanhappy MCPHub up to 0.9.10. Affected by this issue is some unknown functionality of the file src/controllers/serverController.ts. The manipulation of the argument command/args results in os command injection. The attack can be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

Affected Software

VendorProductVersion RangeStatus
samanhappyMCPHub0.9.0affected
samanhappyMCPHub0.9.1affected
samanhappyMCPHub0.9.2affected
samanhappyMCPHub0.9.3affected
samanhappyMCPHub0.9.4affected
samanhappyMCPHub0.9.5affected
samanhappyMCPHub0.9.6affected
samanhappyMCPHub0.9.7affected
samanhappyMCPHub0.9.8affected
samanhappyMCPHub0.9.9affected
samanhappyMCPHub0.9.10affected

Weaknesses

  • CWE-78: OS Command Injection
  • CWE-77: Command Injection

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

Additional References

References