CVE-2025-9654

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-9654

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-9654.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2025-9654

Aliases

GHSA-694p-3fxc-m92h

Published

2025-08-29T15:15:38Z

Modified

2025-08-30T04:49:58.363015Z

Severity

6.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L CVSS Calculator

Summary

[none]

Details

A security flaw has been discovered in AiondaDotCom mcp-ssh up to 1.0.3. Affected by this issue is some unknown functionality of the file server-simple.mjs. Performing manipulation results in command injection. The attack can be initiated remotely. Upgrading to version 1.0.4 and 1.1.0 can resolve this issue. The patch is named cd2566a948b696501abfa6c6b03462cac5fb43d8. It is advisable to upgrade the affected component.

References

Affected packages

Git / github.com/aiondadotcom/mcp-ssh

Affected ranges

Type: GIT
Repo: https://github.com/aiondadotcom/mcp-ssh
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

5b9b9c5b28d3f2672f356a790154ed68e17ef453

Fixed

cd2566a948b696501abfa6c6b03462cac5fb43d8

Affected versions

v1.*

v1.0.2

v1.0.3