Terminal Velocity: Bypassing MCP "Security" with CVE-2025-61492
Vulnerability ID: CVE-2025-61492
CVSS Score: 10.0
Published: 2026-01-07
A Critical (10.0) command injection vulnerability in terminal-controller-mcp allows attackers to bypass a naive blacklist filter using basic shell obfuscation, granting full Remote Code Execution (RCE).
TL;DR
The developers of terminal-controller-mcp tried to secure their tool by blacklisting strings like "rm -rf". They failed to account for how shells actually work. By using command substitution and string concatenation, an attacker can construct any blacklisted command (e.g., mkfs) at runtime, completely bypassing the filter and executing arbitrary code with the privileges of the MCP server.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-77 (Command Injection)
- Attack Vector: Network (JSON-RPC)
- CVSS v3.1: 10.0 (Critical)
- Impact: Remote Code Execution (RCE)
- Exploit Complexity: Low
- Privileges Required: None
Affected Systems
- terminal-controller-mcp <= 0.1.7
- super-shell-mcp <= 2.0.13
-
terminal-controller-mcp: <= 0.1.7 (Fixed in:
TBD) -
super-shell-mcp: <= 2.0.13 (Fixed in:
TBD)
Mitigation Strategies
- Disable shell execution context (shell=False in Python, shell: false in Node)
- Implement strict Allowlist (Whitelist) of permitted commands
- Sanitize input to reject shell meta-characters ($, |, ;, &, backticks)
Remediation Steps:
- Locate the
execute_commandfunction interminal_controller.py. - Refactor the execution logic to use
subprocess.runwithshell=False. - Parse the input command string into a list (e.g., using
shlex.split) before passing it to subprocess. - Remove the
dangerous_commandsblacklist and replace it with a strict validation of the command binary against an allowed list.
References
Read the full report for CVE-2025-61492 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)