Cyber Resilience

CVE-2025-53818

HighRCE

Published: 14 July 2025

Published
14 July 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 8.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0185 83.4th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-53818 is a high-severity OS Command Injection (CWE-78) vulnerability. Its CVSS base score is 8.9 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Command and Scripting Interpreter (T1059); ranked in the top 16.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Protocol-Specific Risks risk domain.

Deeper analysis

GitHub Kanban MCP Server version 0.3.0, an MCP server for managing GitHub issues in Kanban format to support LLM task workflows, contains a command-injection vulnerability (CWE-78). The add_comment tool implementation concatenates untrusted input directly into a shell command executed via the Node.js child_process exec API to invoke the gh CLI, allowing arbitrary command execution on the host.

An unauthenticated remote attacker who can reach the exposed MCP tool can supply crafted input to achieve full control over the server process, resulting in high impact to confidentiality, integrity, and availability as reflected in the CVSS 8.9 rating.

The published GitHub Security Advisory GHSA-6jx8-rcjx-vmwf and linked source files document the vulnerable code paths but state that no patches are available at the time of disclosure.

EPSS remains flat at 0.0185 with no material increase since publication, and no evidence of in-the-wild exploitation is reported.

EU & UK References

Vulnerability details

GitHub Kanban MCP Server is a Model Context Protocol (MCP) server for managing GitHub issues in Kanban board format and streamlining LLM task management. Version 0.3.0 of the MCP Server is written in a way that is vulnerable to command…

more

injection vulnerability attacks as part of some of its MCP Server tool definition and implementation. The MCP Server exposes the tool `add_comment` which relies on Node.js child process API `exec` to execute the GitHub (`gh`) command, is an unsafe and vulnerable API if concatenated with untrusted user input. As of time of publication, no known patches are available.

CWE(s)

AI Security AnalysisAI

AI Category
AI Agent Protocols and Integrations
Risk Domain
Protocol-Specific Risks
OWASP Top 10 for LLMs 2025
LLM01:2025 Prompt Injection
Classification Reason
Matched keywords: llm, mcp, model context protocol

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Command injection in the add_comment tool via unsafe Node.js exec of gh command with untrusted input enables arbitrary remote command execution (T1059) and exploitation of the public-facing MCP server application (T1190).

Affected Assets

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References