CVE-2025-11491

Summary

A vulnerability was found in wonderwhy-er DesktopCommanderMCP up to 0.2.13. The impacted element is the function CommandManager of the file src/command-manager.ts. Performing manipulation results in os command injection. It is possible to initiate the attack remotely. The exploit has been made public and could be used.

Affected Software

VendorProductVersion RangeStatus
wonderwhy-erDesktopCommanderMCP0.2.0affected
wonderwhy-erDesktopCommanderMCP0.2.1affected
wonderwhy-erDesktopCommanderMCP0.2.2affected
wonderwhy-erDesktopCommanderMCP0.2.3affected
wonderwhy-erDesktopCommanderMCP0.2.4affected
wonderwhy-erDesktopCommanderMCP0.2.5affected
wonderwhy-erDesktopCommanderMCP0.2.6affected
wonderwhy-erDesktopCommanderMCP0.2.7affected
wonderwhy-erDesktopCommanderMCP0.2.8affected
wonderwhy-erDesktopCommanderMCP0.2.9affected
wonderwhy-erDesktopCommanderMCP0.2.10affected
wonderwhy-erDesktopCommanderMCP0.2.11affected
wonderwhy-erDesktopCommanderMCP0.2.12affected
wonderwhy-erDesktopCommanderMCP0.2.13affected

Weaknesses

  • CWE-78: OS Command Injection
  • CWE-77: Command Injection

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

References