Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.9
SSH/SCP option injection allows local code execution in MCP-SSH
GHSA-p4h8-56qp-hpgv
Summary
A security issue in MCP-SSH allows an attacker to execute local code on a server by manipulating the SSH/SCP commands. This could potentially expose sensitive information like passwords and SSH keys. To fix this, ensure that all SSH/SCP invocations are terminated with '--' and implement a strict whitelist for host aliases.
What to do
- Update aiondadotcom @aiondadotcom/mcp-ssh to version 1.3.5.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| aiondadotcom | @aiondadotcom/mcp-ssh | <= 1.3.5 | 1.3.5 |
Original title
SSH/SCP option injection allowing local RCE in @aiondadotcom/mcp-ssh
Original description
## Impact
A crafted `hostAlias` argument such as `-oProxyCommand=...` was passed to `ssh`/`scp` without an argument terminator. SSH interprets arguments starting with `-` as options regardless of position, so the option-injection caused SSH to execute the attacker-supplied `ProxyCommand` **locally** on the machine running the MCP server — before any network connection. This bypassed the documented protection of `# @password:` annotations and exposed local SSH keys, browser cookies, other MCP server credentials, and anything else readable by the server process.
A second local-RCE vector existed on Windows: `spawn(..., { shell: true })` was used so that `ssh.exe`/`scp.exe` could be found via `PATH`. With `shell: true`, every argument is re-parsed by `cmd.exe`, so shell metacharacters (`&`, `|`, `^`, `>`, `"`, `;`, …) in `hostAlias`, `command`, `localPath` or `remotePath` would have been interpreted by `cmd.exe` and could have triggered arbitrary local command execution on Windows.
The MCP server runs locally over STDIO, but the LLM driving it is not trusted: its tool arguments can be steered by **prompt injection** from any untrusted text the LLM ingests (web pages, e-mails, repository files, output of other MCP servers). The attack does not require a malicious user — only that the LLM ingests attacker-controlled text at any point during the session.
## Patches
Fixed in **1.3.5**.
- Add `--` argument terminator to all `ssh`/`scp` invocations.
- Strict whitelist for `hostAlias` (rejects leading `-` and shell metacharacters).
- Known-host check: every `hostAlias` must be defined in `~/.ssh/config` (including `Include` directives) or present in `~/.ssh/known_hosts`.
- Resolve `ssh.exe`/`scp.exe` to absolute paths and use `shell: false` everywhere on Windows.
## Workarounds
None. Upgrade to 1.3.5.
## Credit
Reported by Pico (@piiiico) as part of an MCP server security audit.
A crafted `hostAlias` argument such as `-oProxyCommand=...` was passed to `ssh`/`scp` without an argument terminator. SSH interprets arguments starting with `-` as options regardless of position, so the option-injection caused SSH to execute the attacker-supplied `ProxyCommand` **locally** on the machine running the MCP server — before any network connection. This bypassed the documented protection of `# @password:` annotations and exposed local SSH keys, browser cookies, other MCP server credentials, and anything else readable by the server process.
A second local-RCE vector existed on Windows: `spawn(..., { shell: true })` was used so that `ssh.exe`/`scp.exe` could be found via `PATH`. With `shell: true`, every argument is re-parsed by `cmd.exe`, so shell metacharacters (`&`, `|`, `^`, `>`, `"`, `;`, …) in `hostAlias`, `command`, `localPath` or `remotePath` would have been interpreted by `cmd.exe` and could have triggered arbitrary local command execution on Windows.
The MCP server runs locally over STDIO, but the LLM driving it is not trusted: its tool arguments can be steered by **prompt injection** from any untrusted text the LLM ingests (web pages, e-mails, repository files, output of other MCP servers). The attack does not require a malicious user — only that the LLM ingests attacker-controlled text at any point during the session.
## Patches
Fixed in **1.3.5**.
- Add `--` argument terminator to all `ssh`/`scp` invocations.
- Strict whitelist for `hostAlias` (rejects leading `-` and shell metacharacters).
- Known-host check: every `hostAlias` must be defined in `~/.ssh/config` (including `Include` directives) or present in `~/.ssh/known_hosts`.
- Resolve `ssh.exe`/`scp.exe` to absolute paths and use `shell: false` everywhere on Windows.
## Workarounds
None. Upgrade to 1.3.5.
## Credit
Reported by Pico (@piiiico) as part of an MCP server security audit.
osv CVSS4.0
9.9
Vulnerability type
CWE-78
OS Command Injection
CWE-88
Published: 14 Apr 2026 · Updated: 14 Apr 2026 · First seen: 14 Apr 2026