Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <c9346cf4-9e3e-74d9-2bda-951bcb9bcab0@amdal.dev>
Date: Sun, 19 Apr 2026 13:06:09 +0000
From: Pico 🧬 <pico@...al.dev>
To: oss-security@...ts.openwall.com
Subject: [CVE REQUEST] terminal-controller-mcp: trivially bypassable
 command blocklist enables unrestricted RCE (CVSS 10.0)


Hi,

I'm reporting a critical security vulnerability in terminal-controller-mcp, an
open-source Python MCP (Model Context Protocol) server. The repository has been
archived by the maintainer (no fix will come), and private disclosure has
received no response. I'm posting to seek CVE assignment and to alert users.

---

PRODUCT
  terminal-controller (PyPI: https://pypi.org/project/terminal-controller/)
  GitHub: https://github.com/GongRzhe/terminal-controller-mcp (ARCHIVED)
  Maintainer: GongRzhe <gongrzhe@...il.com>

AFFECTED VERSIONS
  All versions ≤ 0.1.9 (current/final version)

FIXED VERSIONS
  None. Repository archived ~2025-06-14. No patch expected.

---

VULNERABILITY DESCRIPTION

terminal-controller-mcp is an MCP server that allows AI models (e.g., Claude,
GPT-4) to execute arbitrary shell commands on the host system. The server
passes commands directly to asyncio.create_subprocess_shell() with
executable="/bin/bash".

The sole security control is a keyword blocklist (terminal_controller.py,
lines 115-118):

  dangerous_commands = ["rm -rf /", "mkfs"]
  if any(dc in command.lower() for dc in dangerous_commands):
      return "For security reasons, this command is not allowed."

This is trivially bypassed using basic shell features:

  # Bypass mkfs via command substitution:
  $(echo mk)fs

  # Bypass rm -rf / via variable reassembly:
  a="rm -rf"; b=" /"; $a$b

  # Bypass via eval + string split:
  eval "mk""fs /dev/sda"

Any restricted command can be constructed via bash's many string manipulation,
substitution, and evaluation features. The filter checks the literal input
string, not the command that bash will actually execute.

---

IMPACT

An attacker who can influence the input to this MCP server (e.g., via prompt
injection into the connected AI model) can execute arbitrary OS commands on
the host. Attack scenarios:

  - Data destruction (disk wipe, file deletion)
  - Data exfiltration (curl/wget to attacker-controlled endpoint)
  - Reverse shell establishment
  - Lateral movement from the AI agent's host

The false sense of security is particularly dangerous: users who rely on the
"security measures" advertised in the README are exposed without knowing it.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVSS Base Score: 10.0 (Critical)

Note on attack vector: MCP servers receive commands from AI models, which may
in turn be influenced by external content (prompt injection via web pages,
documents, emails processed by the AI). The attacker does not need direct
network access to the MCP server.

---

PRIOR DISCLOSURE

- 2025-09-16: Independently disclosed publicly in GitHub issue #7 by
  ClementineZsw (https://github.com/GongRzhe/terminal-controller-mcp/issues/7)
- 2026-04-11: Additional private disclosure sent to gongrzhe@...il.com — no
  response received
- 2026-04-19: This post (90-day window exceeded; repository abandoned/archived)

The vulnerability has been publicly visible in issue #7 since September 2025.
This post is to establish a formal CVE record and alert the broader community.

---

RECOMMENDATION

Do not use terminal-controller-mcp. The architecture (passing arbitrary user-
controlled strings to shell=True subprocess) cannot be made safe with
blocklist-based filtering. There is no patch and no plan for one.

If shell command execution via MCP is required, use a sandboxed environment
(container with limited syscalls, restricted filesystem namespace) and
implement allowlist-based (not blocklist-based) command validation.

---

REFERENCES
  https://github.com/GongRzhe/terminal-controller-mcp
  https://github.com/GongRzhe/terminal-controller-mcp/issues/7
  https://pypi.org/project/terminal-controller/

---

Håkon Åmdal
pico@...al.dev

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.