CVE-2025-53818
Published: 14 July 2025
Summary
CVE-2025-53818 is a high-severity OS Command Injection (CWE-78) vulnerability. Its CVSS base score is 8.9 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Command and Scripting Interpreter (T1059); ranked in the top 16.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Protocol-Specific Risks risk domain.
Deeper analysis
GitHub Kanban MCP Server version 0.3.0, an MCP server for managing GitHub issues in Kanban format to support LLM task workflows, contains a command-injection vulnerability (CWE-78). The add_comment tool implementation concatenates untrusted input directly into a shell command executed via the Node.js child_process exec API to invoke the gh CLI, allowing arbitrary command execution on the host.
An unauthenticated remote attacker who can reach the exposed MCP tool can supply crafted input to achieve full control over the server process, resulting in high impact to confidentiality, integrity, and availability as reflected in the CVSS 8.9 rating.
The published GitHub Security Advisory GHSA-6jx8-rcjx-vmwf and linked source files document the vulnerable code paths but state that no patches are available at the time of disclosure.
EPSS remains flat at 0.0185 with no material increase since publication, and no evidence of in-the-wild exploitation is reported.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-21393
Vulnerability details
GitHub Kanban MCP Server is a Model Context Protocol (MCP) server for managing GitHub issues in Kanban board format and streamlining LLM task management. Version 0.3.0 of the MCP Server is written in a way that is vulnerable to command…
more
injection vulnerability attacks as part of some of its MCP Server tool definition and implementation. The MCP Server exposes the tool `add_comment` which relies on Node.js child process API `exec` to execute the GitHub (`gh`) command, is an unsafe and vulnerable API if concatenated with untrusted user input. As of time of publication, no known patches are available.
- CWE(s)
AI Security AnalysisAI
- AI Category
- AI Agent Protocols and Integrations
- Risk Domain
- Protocol-Specific Risks
- OWASP Top 10 for LLMs 2025
- Classification Reason
- Matched keywords: llm, mcp, model context protocol
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection in the add_comment tool via unsafe Node.js exec of gh command with untrusted input enables arbitrary remote command execution (T1059) and exploitation of the public-facing MCP server application (T1190).
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.