CVE-2025-10619
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-17

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was detected in sequa-ai sequa-mcp up to 1.0.13. This affects the function redirectToAuthorization of the file src/helpers/node-oauth-client-provider.ts of the component OAuth Server Discovery. Performing manipulation results in os command injection. Remote exploitation of the attack is possible. The exploit is now public and may be used. Upgrading to version 1.0.14 is able to mitigate this issue. The patch is named e569815854166db5f71c2e722408f8957fb9e804. It is recommended to upgrade the affected component. The vendor explains: "We only promote that mcp server with our own URLs that have a valid response, but yes if someone would use it with a non sequa url, this is a valid attack vector. We have released a new version (1.0.14) that fixes this and validates that only URLs can be opened."
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-17
Last Modified
2026-04-29
Generated
2026-05-07
AI Q&A
2025-09-17
EPSS Evaluated
2026-05-05
NVD
CVE-2025-10619
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
sequa-ai sequa-mcp 1.0.13
sequa-ai sequa-mcp 1.0.14
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the sequa-ai sequa-mcp software up to version 1.0.13, specifically in the redirectToAuthorization function of the OAuth Server Discovery component. It allows an attacker to perform OS command injection by manipulating this function, potentially executing arbitrary commands on the system remotely. The vulnerability can be exploited remotely and the exploit is publicly available. The issue is fixed in version 1.0.14 by validating that only URLs from sequa are accepted.


How can this vulnerability impact me? :

This vulnerability can allow a remote attacker to execute arbitrary operating system commands on the affected system, which can lead to unauthorized access, data compromise, system disruption, or further attacks. Since the exploit is public, the risk of exploitation is higher if the system is not updated to the fixed version 1.0.14.


What immediate steps should I take to mitigate this vulnerability?

Upgrade the affected sequa-ai sequa-mcp component to version 1.0.14, which includes a patch that validates URLs and fixes the os command injection vulnerability in the redirectToAuthorization function.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart