GHSA-P4H8-56QP-HPGV
Vulnerability from github – Published: 2026-04-14 00:04 – Updated: 2026-04-14 00:04Impact
A crafted hostAlias argument such as -oProxyCommand=... was passed to ssh/scp without an argument terminator. SSH interprets arguments starting with - as options regardless of position, so the option-injection caused SSH to execute the attacker-supplied ProxyCommand locally on the machine running the MCP server — before any network connection. This bypassed the documented protection of # @password: annotations and exposed local SSH keys, browser cookies, other MCP server credentials, and anything else readable by the server process.
A second local-RCE vector existed on Windows: spawn(..., { shell: true }) was used so that ssh.exe/scp.exe could be found via PATH. With shell: true, every argument is re-parsed by cmd.exe, so shell metacharacters (&, |, ^, >, ", ;, …) in hostAlias, command, localPath or remotePath would have been interpreted by cmd.exe and could have triggered arbitrary local command execution on Windows.
The MCP server runs locally over STDIO, but the LLM driving it is not trusted: its tool arguments can be steered by prompt injection from any untrusted text the LLM ingests (web pages, e-mails, repository files, output of other MCP servers). The attack does not require a malicious user — only that the LLM ingests attacker-controlled text at any point during the session.
Patches
Fixed in 1.3.5.
- Add
--argument terminator to allssh/scpinvocations. - Strict whitelist for
hostAlias(rejects leading-and shell metacharacters). - Known-host check: every
hostAliasmust be defined in~/.ssh/config(includingIncludedirectives) or present in~/.ssh/known_hosts. - Resolve
ssh.exe/scp.exeto absolute paths and useshell: falseeverywhere on Windows.
Workarounds
None. Upgrade to 1.3.5.
Credit
Reported by Pico (@piiiico) as part of an MCP server security audit.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@aiondadotcom/mcp-ssh"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.3.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-78",
"CWE-88"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-14T00:04:10Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "## Impact\n\nA crafted `hostAlias` argument such as `-oProxyCommand=...` was passed to `ssh`/`scp` without an argument terminator. SSH interprets arguments starting with `-` as options regardless of position, so the option-injection caused SSH to execute the attacker-supplied `ProxyCommand` **locally** on the machine running the MCP server \u2014 before any network connection. This bypassed the documented protection of `# @password:` annotations and exposed local SSH keys, browser cookies, other MCP server credentials, and anything else readable by the server process.\n\nA second local-RCE vector existed on Windows: `spawn(..., { shell: true })` was used so that `ssh.exe`/`scp.exe` could be found via `PATH`. With `shell: true`, every argument is re-parsed by `cmd.exe`, so shell metacharacters (`\u0026`, `|`, `^`, `\u003e`, `\"`, `;`, \u2026) in `hostAlias`, `command`, `localPath` or `remotePath` would have been interpreted by `cmd.exe` and could have triggered arbitrary local command execution on Windows.\n\nThe MCP server runs locally over STDIO, but the LLM driving it is not trusted: its tool arguments can be steered by **prompt injection** from any untrusted text the LLM ingests (web pages, e-mails, repository files, output of other MCP servers). The attack does not require a malicious user \u2014 only that the LLM ingests attacker-controlled text at any point during the session.\n\n## Patches\n\nFixed in **1.3.5**.\n\n- Add `--` argument terminator to all `ssh`/`scp` invocations.\n- Strict whitelist for `hostAlias` (rejects leading `-` and shell metacharacters).\n- Known-host check: every `hostAlias` must be defined in `~/.ssh/config` (including `Include` directives) or present in `~/.ssh/known_hosts`.\n- Resolve `ssh.exe`/`scp.exe` to absolute paths and use `shell: false` everywhere on Windows.\n\n## Workarounds\n\nNone. Upgrade to 1.3.5.\n\n## Credit\n\nReported by Pico (@piiiico) as part of an MCP server security audit.",
"id": "GHSA-p4h8-56qp-hpgv",
"modified": "2026-04-14T00:04:10Z",
"published": "2026-04-14T00:04:10Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/AiondaDotCom/mcp-ssh/security/advisories/GHSA-p4h8-56qp-hpgv"
},
{
"type": "WEB",
"url": "https://github.com/AiondaDotCom/mcp-ssh/issues/9"
},
{
"type": "PACKAGE",
"url": "https://github.com/AiondaDotCom/mcp-ssh"
},
{
"type": "WEB",
"url": "https://github.com/AiondaDotCom/mcp-ssh/releases/tag/1.3.5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "SSH/SCP option injection allowing local RCE in @aiondadotcom/mcp-ssh"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.