Command Injection in adb-mcp MCP Server_CVE-2025-59834

9.8 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

ADB MCP Server is a MCP (Model Context Protocol) server for interacting with Android devices through ADB. In versions 0.1.0 and prior, the MCP Server is written in a way that is vulnerable to command injection vulnerability attacks as part of some of its MCP Server tool definition and implementation. This issue has been patched via commit 041729c.

Basic Information

ID CVE-2025-59834

Source GitHub_M

Published Sep 25, 2025 at 13:41

Affected Product

Vendor srmorete

Product adb-mcp

Version <= 0.1.0

Affected Versions srmorete adb-mcp <= 0.1.0

CWE Classification

CWE-77 CWE-78

References

{
    "lastseen": "",
    "description": "ADB MCP Server is a MCP (Model Context Protocol) server for interacting with Android devices through ADB. In versions 0.1.0 and prior, the MCP Server is written in a way that is vulnerable to command injection vulnerability attacks as part of some of its MCP Server tool definition and implementation. This issue has been patched via commit 041729c.",
    "published": "2025-09-25T13:41:15.676Z",
    "modified": "2025-09-25T13:41:15.676Z",
    "type": "cve",
    "title": "Command Injection in adb-mcp MCP Server",
    "source": "GitHub_M",
    "references": "https://github.com/srmorete/adb-mcp/security/advisories/GHSA-54j7-grvr-9xwg\nhttps://github.com/srmorete/adb-mcp/commit/041729c0b25432df3199ff71b3163a307cf4c28c\nhttps://github.com/srmorete/adb-mcp/blob/master/src/index.ts#L334-L355",
    "id": "CVE-2025-59834",
    "bulletinFamily": "",
    "cwe": [
        "CWE-77",
        "CWE-78"
    ],
    "cvelist": null,
    "sourceData": "srmorete adb-mcp <= 0.1.0",
    "sourceHref": "",
    "cvss": {
        "score": 9.8,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "adb-mcp",
    "version": "<= 0.1.0",
    "vendor": "srmorete",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}