CVE-2025-5277
Published: 28 May 2025
Summary
CVE-2025-5277 is a critical-severity OS Command Injection (CWE-78) vulnerability. Its CVSS base score is 9.4 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Command and Scripting Interpreter (T1059); ranked in the top 22.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Protocol-Specific Risks risk domain.
Deeper analysis
The vulnerability CVE-2025-5277 is a command injection flaw (CWE-78) in the aws-mcp-server MCP server. It resides in the CLI executor component and allows arbitrary operating-system commands to be executed on the host when a specially crafted prompt is processed by an MCP client.
An unauthenticated remote attacker can supply the malicious prompt through normal MCP client interaction. Successful exploitation grants the attacker full control of the host system, with high impact on confidentiality, integrity, and availability.
The referenced commit in the aws-mcp-server repository patches the vulnerable code path in cli_executor.py; practitioners should update to the fixed revision to eliminate the injection vector.
EPSS remains flat at a low value of 0.0102 with no material rise observed after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-16320
Vulnerability details
aws-mcp-server MCP server is vulnerable to command injection. An attacker can craft a prompt that once accessed by the MCP client will run arbitrary commands on the host system.
- CWE(s)
AI Security AnalysisAI
- AI Category
- AI Agent Protocols and Integrations
- Risk Domain
- Protocol-Specific Risks
- OWASP Top 10 for LLMs 2025
- Classification Reason
- Matched keywords: mcp
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The command injection vulnerability in aws-mcp-server allows attackers to craft prompts that execute arbitrary commands on the host when accessed by the MCP client, enabling T1059 (Command and Scripting Interpreter) for execution and T1210 (Exploitation of Remote Services) for remote code execution via the server.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.