CVE-2025-11285 — MCPHub's ServerController is vulnerable to Command Injection

Description

A vulnerability was found in samanhappy MCPHub up to 0.9.10. Affected by this issue is some unknown functionality of the file src/controllers/serverController.ts. The manipulation of the argument command/args results in os command injection. The attack can be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

How to fix CVE-2025-11285

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

—no fix listed

Is CVE-2025-11285 being exploited?

Low — EPSS is 0.6%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, <= 0.9.10

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-11285
PATCHgithub.com/samanhappy/mcphub
WEBgithub.com/August829/YU1/issues/6
WEBvuldb.com/?ctiid.327043
WEBvuldb.com/?id.327043