CVE-2025-52573 is an OS command injection vulnerability affecting versions prior to 1.3.3 of the ios-simulator-mcp server, a Model Context Protocol (MCP) server used to interact with iOS simulators. The vulnerability arises from unsafe usage of the Node.js child process API 'exec' within the 'ui_tap' tool exposed by the MCP server. This API executes shell commands by concatenating user-supplied inputs directly into command strings without proper sanitization or neutralization of special shell characters. Specifically, inputs such as 'duration', 'udid', and coordinates 'x' and 'y' can be manipulated to include shell metacharacters like ';' or '&&', enabling an attacker to inject arbitrary commands. For example, an attacker could craft inputs that append destructive commands such as 'rm -rf /tmp' to the intended command, causing execution of unintended and potentially harmful operations on the host system running the MCP server. The vulnerability is exacerbated by the fact that language learning models (LLMs) or other automated systems interacting with the MCP server can be tricked via prompt injection or other attack vectors to supply malicious inputs. The vulnerability has a CVSS 3.1 base score of 6.0 (medium severity), with attack vector local, high attack complexity, low privileges required, and requiring user interaction. The impact affects integrity and availability but not confidentiality. The issue was patched in version 1.3.3 of ios-simulator-mcp. No known exploits are currently reported in the wild.

For European organizations, this vulnerability poses a moderate risk primarily to development and testing environments where ios-simulator-mcp is used to automate or manage iOS simulators. Successful exploitation could allow an attacker with local access and limited privileges to execute arbitrary commands on the host system, potentially leading to disruption of testing workflows, deletion or corruption of temporary files, or further lateral movement if combined with other vulnerabilities. While the vulnerability does not directly expose confidential data, the integrity and availability of the development infrastructure could be compromised, resulting in delays, increased operational costs, and potential exposure to secondary attacks. Organizations relying on automated testing pipelines or continuous integration systems that incorporate ios-simulator-mcp may be particularly vulnerable. The requirement for local access and user interaction limits remote exploitation but insider threats or compromised developer machines could be vectors. Additionally, the involvement of LLMs or automated tools in supplying inputs increases the attack surface if these systems are not properly secured or validated.

1. Upgrade ios-simulator-mcp to version 1.3.3 or later, where the command injection vulnerability has been patched. 2. Implement strict input validation and sanitization on all user-supplied parameters, especially those passed to shell commands, to neutralize shell metacharacters and prevent command chaining or injection. 3. Replace usage of Node.js 'exec' with safer alternatives such as 'spawn' or 'execFile' that do not invoke a shell or properly separate command and arguments. 4. Restrict local access to the MCP server to trusted users and environments only, employing strong access controls and monitoring. 5. Harden development and testing environments by applying the principle of least privilege to user accounts and processes interacting with the MCP server. 6. Monitor logs for suspicious command execution patterns or unexpected shell commands originating from the MCP server. 7. For organizations using LLMs or automated tools to interact with the MCP server, implement input validation and output filtering to prevent prompt injection or malicious input generation. 8. Conduct security awareness training for developers and testers to recognize and report suspicious activities related to the MCP server.