CVE-2025-53832
BaseFortify
Publication date: 2025-07-21
Last updated on: 2025-07-22
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| translated | lara-mcp | 0.0.11 |
| translated | lara-mcp | 0.0.12 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Lara Translate MCP Server versions 0.0.11 and below, where unsanitized input parameters are used directly in shell command execution via child_process.exec. This allows an attacker to inject arbitrary system commands through shell metacharacters, leading to remote code execution with the server process's privileges. The issue is fixed in version 0.0.12.
How can this vulnerability impact me? :
Exploitation of this vulnerability can allow an attacker to execute arbitrary system commands remotely on the server running Lara Translate MCP Server, potentially leading to full compromise of the server, data loss, or unauthorized access depending on the privileges of the server process.
What immediate steps should I take to mitigate this vulnerability?
Upgrade the Lara Translate MCP Server to version 0.0.12 or later, as this version contains the fix for the command injection vulnerability. Avoid using versions 0.0.11 and below. Additionally, restrict access to the server to trusted users and networks until the upgrade is applied.