CVE-2025-54073 is a command injection vulnerability identified in the sammcj project’s mcp-package-docs server, a Model Context Protocol (MCP) server designed to provide large language models (LLMs) with efficient access to package documentation across multiple programming languages and Language Server Protocol (LSP) capabilities. The vulnerability arises from improper neutralization of special elements used in command execution (CWE-77). Specifically, the server uses the Node.js child_process.exec function to execute shell commands constructed from user-supplied input parameters without adequate sanitization or validation. This unsafe practice allows an attacker to inject arbitrary shell metacharacters such as pipes (|), redirection (>), and command chaining (&&), enabling execution of arbitrary system commands with the privileges of the server process. The vulnerability affects all versions prior to 0.1.27, with a fix introduced in commit cb4ad49615275379fd6f2f1cf1ec4731eec56eb9 and further improvements recommended in version 0.1.28. The CVSS v3.1 base score is 7.5 (high severity), reflecting the network attack vector, high impact on confidentiality, integrity, and availability, and the requirement for user interaction but no privileges or authentication. Although no known exploits are reported in the wild yet, the nature of the vulnerability makes it a critical risk for environments running vulnerable versions of mcp-package-docs, especially where the server is exposed to untrusted inputs or external networks. Attackers could leverage this flaw to execute arbitrary commands remotely, potentially leading to full system compromise, data exfiltration, or disruption of services.

For European organizations, the impact of CVE-2025-54073 can be significant, particularly for those integrating mcp-package-docs into their development or AI infrastructure. Successful exploitation could lead to remote code execution, allowing attackers to compromise the confidentiality, integrity, and availability of critical systems. This could result in unauthorized access to sensitive intellectual property, disruption of AI-assisted development workflows, and potential lateral movement within corporate networks. Organizations relying on LLMs and language server protocols for software development, documentation, or automation may face operational downtime and reputational damage. Furthermore, if the compromised server has access to internal resources or sensitive data stores, the breach could escalate into broader network intrusions. Given the increasing adoption of AI and LSP tools in European tech sectors, the vulnerability poses a tangible risk to software vendors, research institutions, and enterprises leveraging these technologies.

To mitigate this vulnerability, European organizations should immediately upgrade mcp-package-docs to version 0.1.28 or later, which contains the official fix for the command injection flaw. Until the upgrade is applied, organizations should restrict network exposure of the mcp-package-docs server to trusted internal networks only and implement strict input validation and sanitization at the application layer to prevent injection of shell metacharacters. Employing runtime application self-protection (RASP) or web application firewalls (WAFs) capable of detecting and blocking command injection patterns can provide additional defense-in-depth. Monitoring and logging of command execution attempts should be enhanced to detect suspicious activity. Organizations should also conduct code reviews and security audits of any custom integrations involving mcp-package-docs to ensure no unsafe command execution practices exist. Finally, applying the principle of least privilege to the server process—running it with minimal permissions—can limit the impact of a successful exploit.