CVE-2025-9262
Published: 20 August 2025
Summary
CVE-2025-9262 is a low-severity Command Injection (CWE-77) vulnerability in Wong2 Mcp-Cli. Its CVSS base score is 2.9 (Low).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 29.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Supply Chain and Deployment risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).
Deeper analysis
CVE-2025-9262 is an OS command injection vulnerability (CWE-77, CWE-78) in wong2 mcp-cli version 1.13.0. The flaw resides in the redirectToAuthorization function within the file /src/oauth/provider.js of the oAuth Handler component. This issue allows manipulation that triggers OS command injection and was published on 2025-08-20 with a CVSS v3.1 base score of 5.6 (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L).
The vulnerability enables remote exploitation with high complexity and is rated as difficult to exploit, requiring no privileges or user interaction. Attackers can achieve low-level impacts on confidentiality, integrity, and availability, potentially executing arbitrary OS commands through the OAuth handler.
Advisories from VulDB note that the vendor was contacted early about the disclosure but provided no response, and no patches or mitigations are referenced. A proof-of-concept exploit has been published and is available via linked gists, indicating it may be usable by attackers.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-25438
Vulnerability details
A flaw has been found in wong2 mcp-cli 1.13.0. Affected is the function redirectToAuthorization of the file /src/oauth/provider.js of the component oAuth Handler. This manipulation causes os command injection. The attack may be initiated remotely. The attack is considered to…
more
have high complexity. The exploitability is told to be difficult. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
- CWE(s)
AI Security AnalysisAI
- AI Category
- AI Agent Protocols and Integrations
- Risk Domain
- Supply Chain and Deployment
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: mcp
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote OS command injection (CWE-78) in public-facing OAuth handler directly enables T1190 exploitation and arbitrary command execution via T1059.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires validation of all inputs to redirectToAuthorization to reject OS command injection payloads before execution.
Restricts the OAuth handler process to only necessary functions, disabling shell or command execution capabilities that the flaw would otherwise abuse.
Limits privileges of the mcp-cli process so that any injected commands cannot perform meaningful actions on the underlying OS.