CRITICAL🇵🇱 Wersja polska

CVE-2025-61492

CVSS 10.0v3.1pub. 2026-01-07upd. 2026-01-30

A command injection vulnerability in the execute_command function of terminal-controller-mcp 0.1.7 allows attackers to execute arbitrary commands via a crafted input.

🤖 AI Analysis
How it works

The execute_command function in version 0.1.7 does not properly filter or validate user-supplied input data. An attacker can craft a properly malicious payload and pass it to this function, resulting in embedding and execution of arbitrary system commands in the application context. The attack vector is network-based, requires no authentication or user interaction, and the scope of the vulnerability extends beyond the component where the error occurred (Scope: Changed).

Impact

An attacker can gain full control over the operating system on which the application runs — read, modify and delete data, install malicious software, and move laterally across the network. Confidentiality, integrity, and availability of the system are compromised at the highest level.

Mitigation & patch

Patches available from the manufacturer should be applied in accordance with the references. Until a fix is available, it is recommended to disable or network-isolate the component using the execute_command function and restrict access to the service only to trusted hosts.

Who is affected

Gongrzhe terminal-controller-mcp version 0.1.7

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Gongrzhe Terminal Controller Mcp

    APP
    Gongrzhe
    0.1.7
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References