CVE-2025-53372 is a command injection vulnerability identified in versions of the node-code-sandbox-mcp server prior to 1.3.0. This server, developed by alfonsograziano, is a Node.js-based Model Context Protocol (MCP) server that executes arbitrary JavaScript code by spinning up disposable Docker containers. The vulnerability arises from improper sanitization of input parameters used in calls to the Node.js child_process.execSync function. Specifically, user-supplied inputs are incorporated unsafely into system command strings, allowing an attacker to inject arbitrary shell commands. Successful exploitation enables remote code execution (RCE) on the host machine with the privileges of the server process, effectively bypassing the intended sandbox protections provided by Docker containers. This means that despite the code running inside isolated containers, the attacker can execute commands directly on the host operating system, potentially leading to full system compromise. The vulnerability is classified under CWE-77 (Improper Neutralization of Special Elements used in a Command) and has a CVSS v3.1 base score of 7.5, indicating high severity. The attack vector is network-based (AV:N), requires high attack complexity (AC:H), no privileges (PR:N), but does require user interaction (UI:R). The impact on confidentiality, integrity, and availability is high (C:H/I:H/A:H). No known exploits are currently reported in the wild, and the issue was publicly disclosed on July 8, 2025. The vulnerability is fixed in version 1.3.0 of node-code-sandbox-mcp.

For European organizations, the impact of CVE-2025-53372 can be significant, especially for those relying on node-code-sandbox-mcp for executing JavaScript code in isolated environments. The ability to bypass Docker sandboxing and execute arbitrary commands on the host system can lead to full system compromise, data breaches, lateral movement within networks, and disruption of services. Organizations using this software in production environments may face risks including theft or destruction of sensitive data, unauthorized access to internal systems, and potential use of compromised hosts as pivot points for further attacks. Given the high privileges typically associated with server processes, attackers could install persistent malware, exfiltrate data, or disrupt critical business operations. Additionally, the requirement for user interaction suggests that exploitation might involve social engineering or tricking legitimate users into triggering the vulnerability, which could complicate detection and response. The vulnerability's presence in a component that manages disposable containers also raises concerns about the security of ephemeral environments, which are often trusted implicitly. This threat is particularly relevant to sectors with high reliance on containerized JavaScript execution environments, such as software development firms, cloud service providers, and organizations deploying advanced automation or AI workloads.

1. Immediate upgrade to node-code-sandbox-mcp version 1.3.0 or later, where the vulnerability is patched. 2. Implement strict input validation and sanitization on all user-supplied parameters before they are passed to system command execution functions. Use safe APIs that avoid shell interpretation, such as child_process.execFile or spawn with argument arrays, instead of execSync with concatenated strings. 3. Employ runtime application self-protection (RASP) or behavior monitoring to detect and block suspicious command execution patterns. 4. Restrict the privileges of the node-code-sandbox-mcp server process to the minimum necessary, using container security best practices and Linux capabilities to limit potential damage from exploitation. 5. Use container security tools to enforce strict isolation policies and monitor container escape attempts. 6. Conduct regular security audits and code reviews focusing on command injection risks in all components that execute system commands. 7. Educate users and administrators about the risk of social engineering attacks that could trigger this vulnerability, emphasizing cautious handling of untrusted inputs. 8. Deploy network-level protections such as Web Application Firewalls (WAFs) with custom rules to detect and block command injection payloads targeting this service. 9. Monitor logs for unusual command execution or container behavior indicative of exploitation attempts.