Home

Description

By providing a command-line argument starting with a semi-colon ; to an API endpoint created by the EnhancedCommandExecutor class of the HexStrike AI MCP server, the resultant composed command is executed directly in the context of the MCP server’s normal privilege; typically, this is root. There is no attempt to sanitize these arguments in the default configuration of this MCP server at the affected version (as of commit 2f3a5512 in September of 2025).

PUBLISHED Reserved 2025-04-15 | Published 2025-11-30 | Updated 2025-12-01 | Assigner AHA




CRITICAL: 9.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Problem types

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Product status

Default status
unaffected

33267047667b9accfbf0fdac1c1c7ff12f3a5512 (commit-hash)
affected

Credits

jippen of AHA! finder

todb of AHA! coordinator

References

takeonme.org/...00000000000000000000000000000000000000000011 third-party-advisory technical-description exploit

github.com/0x4m4/hexstrike-ai/issues/115 issue-tracking

cve.org (CVE-2025-35028)

nvd.nist.gov (CVE-2025-35028)

Download JSON