CVE-2025-59834
published 2025-09-25CVE-2025-59834: ADB MCP Server is a MCP (Model Context Protocol) server for interacting with Android devices through ADB. In versions 0.1.0 and prior, the MCP Server is…
PriorityP266critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
2.29%
81.0th percentile
ADB MCP Server is a MCP (Model Context Protocol) server for interacting with Android devices through ADB. In versions 0.1.0 and prior, the MCP Server is written in a way that is vulnerable to command injection vulnerability attacks as part of some of its MCP Server tool definition and implementation. This issue has been patched via commit 041729c.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| srmorete | adb-mcp | <= 0.1.0 | — |
| srmorete | adb-mcp | 0 – 0.1.0 | — |
| srmorete | adb_mcp_server | <= 0.1.0 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Command Injection in adb-mcp MCP Server
ghsa·2025-09-24
CVE-2025-59834 [CRITICAL] CWE-77 Command Injection in adb-mcp MCP Server
Command Injection in adb-mcp MCP Server
# Command Injection in adb-mcp MCP Server
The MCP Server at https://github.com/srmorete/adb-mcp is written in a way that is vulnerable to command injection vulnerability attacks as part of some of its MCP Server tool definition and implementation.
The MCP Server is also published publicly to npm at www.npmjs.com/package/adb-mcp and allows users to install it.
## Vulnerable tool
The MCP Server defines the function `executeAdbCommand()` which executes commands via string as a parameter and wraps the promise-based `exec` function.
The MCP Server then exposes the tool `inspect_ui` which relies on Node.js child process API `exec` (through the function wrapper) to execute the Android debugging command (`adb`). Relying on `exec` is an unsafe and vulne
OSV
Command Injection in adb-mcp MCP Server
osv·2025-09-24
CVE-2025-59834 [CRITICAL] Command Injection in adb-mcp MCP Server
Command Injection in adb-mcp MCP Server
# Command Injection in adb-mcp MCP Server
The MCP Server at https://github.com/srmorete/adb-mcp is written in a way that is vulnerable to command injection vulnerability attacks as part of some of its MCP Server tool definition and implementation.
The MCP Server is also published publicly to npm at www.npmjs.com/package/adb-mcp and allows users to install it.
## Vulnerable tool
The MCP Server defines the function `executeAdbCommand()` which executes commands via string as a parameter and wraps the promise-based `exec` function.
The MCP Server then exposes the tool `inspect_ui` which relies on Node.js child process API `exec` (through the function wrapper) to execute the Android debugging command (`adb`). Relying on `exec` is an unsafe and vulne
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/srmorete/adb-mcp/blob/master/src/index.ts#L334-L355https://github.com/srmorete/adb-mcp/commit/041729c0b25432df3199ff71b3163a307cf4c28chttps://github.com/srmorete/adb-mcp/security/advisories/GHSA-54j7-grvr-9xwghttps://github.com/srmorete/adb-mcp/security/advisories/GHSA-54j7-grvr-9xwg
2025-09-25
Published