CVE-2025-59834 | THREATINT

Description

ADB MCP Server is a MCP (Model Context Protocol) server for interacting with Android devices through ADB. In versions 0.1.0 and prior, the MCP Server is written in a way that is vulnerable to command injection vulnerability attacks as part of some of its MCP Server tool definition and implementation. This issue has been patched via commit 041729c.

PUBLISHED Reserved 2025-09-22 | Published 2025-09-25 | Updated 2025-09-25 | Assigner GitHub_M

CRITICAL: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Product status

<= 0.1.0

affected

References

github.com/...db-mcp/security/advisories/GHSA-54j7-grvr-9xwg

github.com/...ommit/041729c0b25432df3199ff71b3163a307cf4c28c

github.com/srmorete/adb-mcp/blob/master/src/index.ts

cve.org (CVE-2025-59834)

nvd.nist.gov (CVE-2025-59834)

Download JSON