CVE-2025-66401
Published: 01 December 2025
Summary
CVE-2025-66401 is a critical-severity OS Command Injection (CWE-78) vulnerability in Kapilduraphe Mcp Watch. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Command and Scripting Interpreter (T1059); ranked in the top 21.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Protocol-Specific Risks risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents command injection by requiring validation and sanitization of user-supplied inputs like githubUrl before passing to execSync.
Mandates timely remediation of the specific command injection flaw in MCP Watch versions 0.1.2 and earlier via patching.
Limits the scope and impact of arbitrary command execution resulting from the injection by enforcing least privilege on the hosting process.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The command injection vulnerability allows attackers to execute arbitrary commands on the host by injecting shell metacharacters into the unsanitized githubUrl parameter passed to execSync (T1059).
NVD Description
MCP Watch is a comprehensive security scanner for Model Context Protocol (MCP) servers. In 0.1.2 and earlier, the MCPScanner class contains a critical Command Injection vulnerability in the cloneRepo method. The application passes the user-supplied githubUrl argument directly to a…
more
system shell via execSync without sanitization. This allows an attacker to execute arbitrary commands on the host machine by appending shell metacharacters to the URL.
Deeper analysisAI
CVE-2025-66401 is a critical command injection vulnerability (CWE-78) in MCP Watch, a comprehensive security scanner for Model Context Protocol (MCP) servers, affecting versions 0.1.2 and earlier. The issue exists in the MCPScanner class's cloneRepo method, where the user-supplied githubUrl argument is passed directly to a system shell via execSync without any sanitization. This flaw enables attackers to execute arbitrary commands on the host machine by appending shell metacharacters to the URL. The vulnerability has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility and high impact on confidentiality, integrity, and availability.
Remote attackers require no privileges or user interaction to exploit this vulnerability, making it accessible over the network with low attack complexity. By supplying a crafted githubUrl to the cloneRepo method, an attacker can inject and execute arbitrary shell commands on the underlying host system, potentially leading to full compromise including data theft, persistence, or further lateral movement.
Mitigation details are provided in the GitHub security advisory at https://github.com/kapilduraphe/mcp-watch/security/advisories/GHSA-27m7-ffhq-jqrm and the patching commit at https://github.com/kapilduraphe/mcp-watch/commit/e7da78c5b4b960f8b66c254059ad9ebc544a91a6. Security practitioners should ensure MCP Watch instances are updated beyond version 0.1.2 to address the unsanitized execSync usage.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- AI Agent Protocols and Integrations
- Risk Domain
- Protocol-Specific Risks
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- MCP Watch is a security scanner specifically for Model Context Protocol (MCP) servers, which relates to AI agent protocols and integrations for handling model contexts in AI systems.