Cyber Resilience

CVE-2025-53100

HighRCE

Published: 01 July 2025

Published
01 July 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0181 83.2th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-53100 is a high-severity OS Command Injection (CWE-78) vulnerability. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Command and Scripting Interpreter (T1059); ranked in the top 16.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Protocol-Specific Risks risk domain; MITRE ATLAS techniques in scope: Command and Scripting Interpreter (AML.T0050), LLM Prompt Injection (AML.T0051).

Deeper analysis

RestDB's Codehooks.io MCP Server, an MCP server component on the Codehooks.io platform, is affected by a command injection vulnerability (CWE-78) in versions prior to 0.2.2. The flaw stems from insecure definition and implementation of certain MCP Server tools, allowing injection of operating system commands.

An unauthenticated remote attacker can trigger the issue via a user-initiated interaction with a running MCP Server instance, achieving full control over host commands with high impact to confidentiality, integrity, and availability. The CVSS 4.0 vector reflects network attack reachability, low complexity, and no required privileges.

The vulnerability has been addressed in version 0.2.2, as documented in the project's GitHub security advisory GHSA-fhq6-jf5q-qxvq and the associated commits that remediate the affected tool implementations. The EPSS score remains low with negligible movement between its current value of 0.0181 and recorded peak of 0.0197.

EU & UK References

Vulnerability details

RestDB's Codehooks.io MCP Server is an MCP server on the Codehooks.io platform. Prior to version 0.2.2, the MCP server is written in a way that is vulnerable to command injection attacks as part of some of its MCP Server tools…

more

definition and implementation. This could result in a user initiated remote command injection attack on a running MCP Server. This issue has been patched in version 0.2.2.

CWE(s)

AI Security AnalysisAI

AI Category
AI Agent Protocols and Integrations
Risk Domain
Protocol-Specific Risks
OWASP Top 10 for LLMs 2025
LLM01:2025 Prompt Injection
Classification Reason
Matched keywords: mcp

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The command injection vulnerability enables remote arbitrary command execution on the MCP server (T1059: Command and Scripting Interpreter) via exploitation of a public-facing application (T1190: Exploit Public-Facing Application).

MITRE ATLAS TechniquesAI

MITRE ATLAS techniques

AML.T0050: Command and Scripting InterpreterAML.T0051: LLM Prompt Injection

Affected Assets

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References