QwikSec

Security Database

CVE

CWE

Training

CVE Database
/

CVE-2025-11490

Back to search

CVE-2025-11490

Published: Oct 8, 2025

Modified: Oct 23, 2025

PUBLISHED

CVSS v3.1

6.3

MEDIUM

Description

A vulnerability has been found in wonderwhy-er DesktopCommanderMCP up to 0.2.13. The affected element is the function extractBaseCommand of the file src/command-manager.ts of the component Absolute Path Handler. Such manipulation leads to os command injection. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. The vendor explains: "The usual use case is that AI is asked to do something, picks commands itself, and typically uses simple command names without absolute paths. It's curious why a user would ask the model to bypass restrictions this way. (...) This could potentially be a problem, but we are yet to hear reports of this being an issue in actual workflows. We'll leave this issue open for situations where people may report this as a problem for the long term."

VendorProductVersions

wonderwhy-er

DesktopCommanderMCP

affected
0.2.0
affected
0.2.1
affected
0.2.2
affected
0.2.3
affected
0.2.4

+9 more versions

Weaknesses (CWE)

CWE-78
CWE-77

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:C

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

References

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now