Executive Summary

CVE-2026-5125 is a command injection vulnerability in the consult-llm-mcp package, specifically affecting versions up to 2.5.3. The vulnerability arises from unsafe use of Node.js's child_process.execSync function, which executes shell commands constructed directly from user-controlled input without proper sanitization or validation.

The vulnerable code interpolates parameters such as git_diff.base_ref and git_diff.files directly into shell command strings. This allows an attacker with local access to inject arbitrary shell metacharacters (e.g., ;, &, |) into these parameters, causing the server to execute unintended commands with the privileges of the MCP server process.

The vulnerability is located in the generateGitDiff function and related code in src/server.ts and src/git.ts files. Exploitation can lead to arbitrary command execution on the server hosting the MCP component.

The issue was fixed in version 2.5.4 by replacing execSync with Rust's std::process::Command API, which executes commands with argument-based invocation, avoiding shell interpretation and thus preventing command injection. Additional mitigations include strict input validation and parameter separation to ensure user inputs are treated as data, not executable code.

Useful 0 Not Useful 0

Impact Analysis

Successful exploitation of this vulnerability allows an attacker with local access to execute arbitrary operating system commands on the MCP server hosting the consult-llm-mcp component.

This can lead to unauthorized data access, modification of the server environment, privilege escalation, or full system compromise depending on the privileges of the MCP server process.

Because the injected commands run with the same privileges as the MCP server, attackers could potentially manipulate files, exfiltrate sensitive information, or disrupt service operations.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves command injection via the git_diff.base_ref or git_diff.files parameters in the consult-llm-mcp server, specifically through unsafe use of Node.js's child_process.execSync function. Detection can focus on identifying suspicious command executions or unexpected file creations triggered by injected shell metacharacters.

One practical detection method is to monitor for unusual files created by injected commands, such as the proof-of-concept where the command `whoami` output was redirected to a file named poc.txt.

Suggested commands to detect exploitation attempts include searching for such files or suspicious processes on the server hosting consult-llm-mcp:

• Check for unexpected files like poc.txt in the repository or working directory: `find /path/to/repo -name 'poc.txt'`
• Monitor running processes for suspicious commands injected via shell metacharacters: `ps aux | grep -E 'whoami|;|&|\|'`
• Review server logs for unusual command executions or errors related to git_diff.base_ref or git_diff.files parameters.

Additionally, auditing the source code or deployment to verify if the vulnerable execSync usage is present (in src/server.ts lines 102-104 and src/git.ts lines 14-18) can help confirm if the system is vulnerable.

Useful 0 Not Useful 0

Mitigation Strategies

The primary and recommended mitigation is to upgrade the consult-llm-mcp package to version 2.5.4 or later, where the vulnerability has been fixed.

The fix replaces the unsafe use of Node.js's child_process.execSync with Rust's std::process::Command API, which executes commands with argument-based invocation, preventing shell command injection.

Additional immediate mitigation steps include:

• Avoid using execSync in your own code; prefer execFileSync or equivalent APIs that separate command and arguments.
• Implement strict input validation and sanitization on all user inputs exposed to the MCP server, especially the git_diff.base_ref and git_diff.files parameters.
• Use parameter separation and proper escaping to ensure user inputs are treated as data, not executable code.

Since the attack requires local access, restrict access to the MCP server to trusted users only and monitor for suspicious activity.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows local attackers to execute arbitrary OS commands on the MCP server due to command injection in the child_process.execSync function. Successful exploitation could lead to unauthorized data access or system modification depending on server privileges.

Such unauthorized access or modification of data could potentially impact compliance with standards and regulations like GDPR or HIPAA, which require protection of sensitive data and system integrity.

However, the provided information does not explicitly discuss or analyze the direct impact of this vulnerability on compliance with these or other common standards and regulations.

Useful 0 Not Useful 0