CVE-2025-58062

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-58062

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-58062.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2025-58062

Aliases

GHSA-43m4-p3rv-c4v8

Published

2025-08-28T23:15:44Z

Modified

2025-08-29T16:59:49.858400Z

Summary

[none]

Details

LSTM-Kirigaya's openmcp-client is a vscode plugin for mcp developer. Prior to version 0.1.12, when users on a Windows platform connect to an attacker controlled MCP server, attackers could provision a malicious authorization server endpoint to silently achieve an OS command injection attack in the open() invocation, leading to client system compromise. This issue has been patched in version 0.1.12.

References

Affected packages

Git / github.com/lstm-kirigaya/openmcp-client

Affected ranges

Type: GIT
Repo: https://github.com/lstm-kirigaya/openmcp-client
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

9c3799d6ffae8d0cdfab25a53af75e1afc85f6c3

Affected versions

v0.*

v0.0.8

v0.0.9

v0.1.0

v0.1.1

v0.1.10

v0.1.11

v0.1.12

v0.1.2

v0.1.3

v0.1.4

v0.1.5

v0.1.6

v0.1.8

v0.1.9