MCP Security Top 10 - Part 6: Command Injection
This is the sixth article in our series about the top 10 security risks associated with the Model Context Protocol (MCP). This post focuses on Command Injection, a critical vulnerability that occurs when malicious commands or code can be inserted into MCP tool execution, potentially leading to unauthorized access or system compromise.
Introduction
Command injection vulnerabilities have long been a concern in traditional software security. In the context of MCP, these vulnerabilities take on added significance because:
- MCP tools often interface with system commands, shells, or interpreters
- AI systems might construct commands dynamically based on user input
- The capabilities granted to MCP servers typically allow for powerful system access
When command injection occurs in MCP contexts, attackers can potentially execute unauthorized code, access sensitive data, escalate privileges, or compromise entire systems.
MCP Security Top 10 Series
This article is part of a comprehensive series examining the top 10 security risks when using MCP with AI agents:
- MCP Security Top 10 Series: Introduction & Index
- MCP Overview
- Over-Privileged Access
- Prompt Injection Attacks
- Malicious MCP Servers
- Unvalidated Tool Responses
- Command Injection (this article)
- Resource Exhaustion
- Cross-Context Data Leakage
- MITM Attacks
- Social Engineering
- Overreliance on AI
What is Command Injection in MCP?
Command injection in MCP contexts occurs when:
- An MCP tool accepts parameters that influence command execution
- These parameters are not properly validated or sanitized
- Attackers can manipulate these parameters to include additional commands
- The MCP server executes the manipulated command with its privileges
The impact of command injection in MCP is often greater than in traditional web applications because MCP servers typically run with the user's full privileges, allowing for extensive system access.
Types of Command Injection in MCP
1. Shell Command Injection
This occurs when MCP tools execute shell commands without proper parameter sanitization:
// VULNERABLE: Direct use of user-supplied input in shell commands
import { MCPServer, createTool } from 'mcp-sdk-ts';
import { exec } from 'child_process';
const executeGrepTool = createTool({
name: "search_logs",
description: "Search log files for specific patterns",
inputSchema: {
type: "object",
properties: {
pattern: { type: "string" },
logFile: { type: "string" }
},
required: ["pattern", "logFile"]
},
handler: async ({ pattern, logFile }) => {
// VULNERABLE: pattern and logFile are used without sanitization
const command = `grep "${pattern}" ${logFile}`;
return new Promise((resolve, reject) => {
exec(command, (error, stdout, stderr) => {
if (error) reject(error);
resolve({ results: stdout });
});
});
}
});
An attacker could exploit this by providing a pattern like any_pattern"; rm -rf /* #, which would terminate the grep command and execute a destructive operation.
2. SQL Injection
When MCP tools interact with databases without using parameterized queries:
// VULNERABLE: SQL injection via string concatenation
import { MCPServer, createTool } from 'mcp-sdk-ts';
import { Database } from 'sqlite3';
const db = new Database('users.db');
const queryUsersTool = createTool({
name: "query_users",
description: "Query users by username pattern",
inputSchema: {
type: "object",
properties: {
usernamePattern: { type: "string" }
},
required: ["usernamePattern"]
},
handler: async ({ usernamePattern }) => {
// VULNERABLE: SQL injection possible through string concatenation
const query = `SELECT * FROM users WHERE username LIKE '%${usernamePattern}%'`;
return new Promise((resolve, reject) => {
db.all(query, (err, rows) => {
if (err) reject(err);
resolve({ users: rows });
});
});
}
});
An attacker could exploit this by providing a pattern like %' OR 1=1 --, which would return all users in the database.
3. Code Evaluation Injection
When MCP tools execute or evaluate code dynamically:
// VULNERABLE: Dynamic code evaluation
import { MCPServer, createTool } from 'mcp-sdk-ts';
const evaluateExpressionTool = createTool({
name: "evaluate_expression",
description: "Evaluate a mathematical expression",
inputSchema: {
type: "object",
properties: {
expression: { type: "string" }
},
required: ["expression"]
},
handler: async ({ expression }) => {
// VULNERABLE: Directly evaluating user input
try {
// This is extremely dangerous
const result = eval(expression);
return { result };
} catch (error) {
throw new Error(`Failed to evaluate expression: ${error.message}`);
}
}
});
An attacker could exploit this by providing an expression like require('fs').readFileSync('/etc/passwd', 'utf8') to read sensitive files.
Real-World Impact
The impact of command injection in MCP can be severe:
- Data Breach: Accessing sensitive files or databases
- System Compromise: Gaining shell access to the host system
- Privilege Escalation: Leveraging the MCP server's permissions
- Lateral Movement: Using the compromised system to access other resources
- Service Disruption: Executing commands that crash or corrupt services
Detection Methods
1. Static Analysis
Use static analysis tools to identify potential command injection vulnerabilities:
- Look for direct use of user input in command execution
- Detect string concatenation in command construction
- Identify use of dangerous functions like
eval,exec, orsystem - Check for missing input validation or sanitization
2. Dynamic Analysis
Implement runtime monitoring for suspicious command patterns:
- Monitor for unexpected command syntax or special characters
- Track command execution patterns for anomalies
- Log and analyze all command executions from MCP tools
- Look for commands accessing sensitive resources or unusual paths
3. Security Testing
Conduct specific testing for command injection vulnerabilities:
- Perform penetration testing with command injection payloads
- Use automated scanning tools designed for command injection
- Test edge cases and unexpected input formats
- Verify that error handling doesn't expose command details
Mitigation Strategies
1. Use Safe APIs Instead of Shell Commands
Whenever possible, avoid shell commands in favor of language APIs:
// IMPROVED: Using native filesystem APIs instead of shell commands
import { MCPServer, createTool } from 'mcp-sdk-ts';
import * as fs from 'fs';
import * as path from 'path';
const allowedDirectory = '/var/log';
const searchLogsTool = createTool({
name: "search_logs",
description: "Search log files for specific patterns",
inputSchema: {
type: "object",
properties: {
pattern: { type: "string" },
logFileName: { type: "string" }
},
required: ["pattern", "logFileName"]
},
handler: async ({ pattern, logFileName }) => {
// Validate the log file path
const sanitizedLogFile = path.basename(logFileName);
const fullPath = path.join(allowedDirectory, sanitizedLogFile);
// Validate the path is still within allowed directory
if (!fullPath.startsWith(allowedDirectory)) {
throw new Error('Invalid log file path');
}
// Use native APIs instead of shell commands
try {
const logContent = fs.readFileSync(fullPath, 'utf8');
const regex = new RegExp(pattern, 'g');
const matches = logContent.match(regex) || [];
return { results: matches };
} catch (error) {
throw new Error(`Failed to search logs: ${error.message}`);
}
}
});
2. Implement Strict Input Validation
Apply comprehensive input validation:
// IMPROVED: With strict input validation
import { MCPServer, createTool } from 'mcp-sdk-ts';
import { exec } from 'child_process';
const validatePattern = (pattern) => {
// Only allow alphanumeric characters, spaces, and basic punctuation
const regex = /^[a-zA-Z0-9\s.,?!:;-]+$/;
if (!regex.test(pattern)) {
throw new Error('Invalid search pattern');
}
return pattern;
};
const validateLogFile = (logFile) => {
// Only allow specific log files
const allowedLogs = ['system.log', 'app.log', 'error.log'];
if (!allowedLogs.includes(logFile)) {
throw new Error('Invalid log file');
}
return `/var/log/${logFile}`;
};
const executeGrepTool = createTool({
name: "search_logs",
description: "Search log files for specific patterns",
inputSchema: {
type: "object",
properties: {
pattern: { type: "string" },
logFile: { type: "string" }
},
required: ["pattern", "logFile"]
},
handler: async ({ pattern, logFile }) => {
// Validate inputs before use
const validatedPattern = validatePattern(pattern);
const validatedLogFile = validateLogFile(logFile);
// Use validated inputs in the command
const command = `grep "${validatedPattern}" ${validatedLogFile}`;
return new Promise((resolve, reject) => {
exec(command, (error, stdout, stderr) => {
if (error && error.code !== 1) reject(error); // grep returns 1 if no matches
resolve({ results: stdout });
});
});
}
});
3. Use Parameterized Queries for Databases
When working with databases, always use parameterized queries:
// IMPROVED: Using parameterized queries
import { MCPServer, createTool } from 'mcp-sdk-ts';
import { Database } from 'sqlite3';
const db = new Database('users.db');
const queryUsersTool = createTool({
name: "query_users",
description: "Query users by username pattern",
inputSchema: {
type: "object",
properties: {
usernamePattern: { type: "string" }
},
required: ["usernamePattern"]
},
handler: async ({ usernamePattern }) => {
// SECURE: Using parameterized query
const query = `SELECT * FROM users WHERE username LIKE ?`;
const params = [`%${usernamePattern}%`];
return new Promise((resolve, reject) => {
db.all(query, params, (err, rows) => {
if (err) reject(err);
resolve({ users: rows });
});
});
}
});
4. Implement Command Allowlisting
For cases where shell commands are necessary, use an allowlist approach:
// IMPROVED: Using command allowlisting
import { MCPServer, createTool } from 'mcp-sdk-ts';
import { exec } from 'child_process';
// Define allowed commands and their parameters
const allowedCommands = {
'list_files': {
command: 'ls',
allowedFlags: ['-l', '-a', '-h', '--color'],
allowedPaths: ['/var/log', '/tmp/public', './data']
},
'disk_usage': {
command: 'du',
allowedFlags: ['-h', '-s', '--max-depth=1'],
allowedPaths: ['/var/log', '/tmp/public', './data']
}
};
const executeCommandTool = createTool({
name: "execute_command",
description: "Execute an allowed system command",
inputSchema: {
type: "object",
properties: {
commandType: { type: "string", enum: Object.keys(allowedCommands) },
flags: { type: "array", items: { type: "string" } },
path: { type: "string" }
},
required: ["commandType", "path"]
},
handler: async ({ commandType, flags = [], path }) => {
const commandConfig = allowedCommands[commandType];
// Validate flags
const validFlags = flags.filter(flag =>
commandConfig.allowedFlags.includes(flag));
// Validate path
let validPath = null;
for (const allowedPath of commandConfig.allowedPaths) {
if (path === allowedPath || path.startsWith(`${allowedPath}/`)) {
validPath = path;
break;
}
}
if (!validPath) {
throw new Error(`Path not allowed: ${path}`);
}
// Construct command with validated components
const command = `${commandConfig.command} ${validFlags.join(' ')} ${validPath}`;
return new Promise((resolve, reject) => {
exec(command, (error, stdout, stderr) => {
if (error) reject(error);
resolve({ output: stdout });
});
});
}
});
5. Use Sandboxing and Isolation
Run MCP servers in restricted environments:
- Use containerization with limited capabilities
- Apply seccomp profiles to restrict system calls
- Implement filesystem isolation
- Use separate user accounts with minimal privileges
- Apply network restrictions to prevent data exfiltration
Tools like Docker combined with security profiles can significantly reduce the impact of command injection by limiting what resources an MCP server can access, even if it's compromised.
Conclusion
Command injection vulnerabilities in MCP tools pose a significant security risk due to the powerful capabilities that MCP servers typically possess. By implementing proper input validation, using safer APIs, employing parameterized queries, implementing command allowlisting, and applying sandboxing techniques, you can significantly reduce the risk of these vulnerabilities.
Remember that defense in depth is crucial—apply multiple layers of protection rather than relying on a single mitigation technique. Always assume that inputs could be malicious and design your MCP tools accordingly.
In the next article in this series, we'll explore the risks of resource exhaustion in MCP implementations and strategies for preventing denial-of-service attacks.
Protect Against Command Injection with Garnet
As we've explored in this article, command injection vulnerabilities in MCP tools can lead to unauthorized code execution, system compromise, and data breaches. Traditional security tools often struggle to detect these attacks since they exploit legitimate command execution channels.
Garnet provides specialized runtime security monitoring designed to detect and block suspicious command patterns executed by MCP servers. Unlike static analysis tools that might miss dynamic injection techniques, Garnet's approach focuses on monitoring actual execution behavior.
With Garnet's Linux-based Jibril sensor, you can protect your environments against command injection attacks:
- Command Pattern Analysis: Identify abnormal command structures or suspicious parameter patterns
- Process Ancestry Monitoring: Detect unexpected process spawning from MCP servers
- File Access Surveillance: Monitor attempts to access sensitive files or unauthorized directories
- Runtime Protection: Block execution of potentially dangerous commands in real-time
The Garnet Platform provides centralized visibility into command execution patterns, with real-time alerts that integrate with your existing security workflows.
Learn more about securing your AI-powered development environments against command injection at Garnet.ai.
