DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-X975-RGX4-5FH4: GHSA-X975-RGX4-5FH4: Unescaped Locator Data Cross-Site Scripting in appium-mcp MCP-UI Resource

#security #cve #cybersecurity #ghsa

GHSA-X975-RGX4-5FH4: Unescaped Locator Data Cross-Site Scripting in appium-mcp MCP-UI Resource

Vulnerability ID: GHSA-X975-RGX4-5FH4
CVSS Score: 8.2
Published: 2026-06-19

GHSA-X975-RGX4-5FH4 is a high-severity Cross-Site Scripting (XSS) vulnerability residing in the Model Context Protocol (MCP) User Interface (UI) component of appium-mcp, an NPM package integrating Appium with MCP clients. The flaw exists within the createLocatorGeneratorUI utility function, which renders UI metadata directly into an HTML template page without performing sanitization or encoding. Because MCP clients use window.parent.postMessage to send commands from the UI to the host, this XSS can be escalated to trigger arbitrary MCP tool calls, potentially leading to Remote Code Execution (RCE) on the host running the MCP client.

TL;DR

A Cross-Site Scripting (XSS) vulnerability in the Appium Model Context Protocol (MCP) server allows unescaped layout metadata to execute malicious JavaScript in the client's inspector WebView, leading to arbitrary host command execution via postMessage exploitation.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-79
  • Attack Vector: Network
  • CVSS Score: 8.2 (High)
  • Exploit Status: Proof-of-Concept
  • KEV Status: Not Listed
  • Impact: Client-Side Script Execution / Host Command Injection via postMessage

Affected Systems

  • appium-mcp NPM package
  • appium-mcp: < 1.85.10 (Fixed in: 1.85.10)

Code Analysis

Commit: e222bbb

Escape locator metadata and selectors before rendering HTML

Exploit Details

  • GitHub Test Suite: Unit tests demonstrating direct markup injections and bracket-breakout validation

Mitigation Strategies

  • Upgrade appium-mcp to v1.85.10 or later
  • Enforce strict Content Security Policy (CSP) blocking inline scripts
  • Restrict postMessage listeners to validated origins

Remediation Steps:

  1. Run npm install appium-mcp@latest to fetch the latest secure release
  2. Restart any active MCP-UI or Claude Desktop environments utilizing the package
  3. Configure iframe sandboxing properties on the parent container view to isolate the WebView execution space

References

Read the full report for GHSA-X975-RGX4-5FH4 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)