GitHub Advisory — GitHub Kanban MCP Server command injection (CVE-2025-53818)

AI relevance: this MCP server exposes tool calls to LLM agents; a prompt-injected tool invocation can become OS command execution on the MCP host.

• CVE-2025-53818 affects @sunwood-ai-labs/github-kanban-mcp-server, enabling command injection via MCP tool inputs.
• Root cause: the add_comment tool builds a gh issue command with untrusted arguments and executes it via exec().
• Shell metacharacters in issue_number or related fields can break out of the intended command and run arbitrary commands.
• The advisory explicitly calls out prompt injection as a plausible trigger for malicious tool inputs.
• Affected versions: <= 0.3.0; no patched version is listed.
• Recommendation: use execFile() with argument arrays and terminate flags with -- to avoid shell parsing.

Why it matters

• MCP servers sit in the blast radius of LLM agents; injection here is effectively prompt-to-shell.
• GitHub automations are often used in CI/CD contexts; a compromised MCP server can expose tokens and repos.
• This pattern (child_process.exec + user input) is common across MCP tooling and needs systematic audit.

What to do

• Disable or isolate this MCP server until a patch is released.
• Replace exec() with execFile() and validate all tool arguments with allowlists.
• Run MCP servers under least-privilege accounts and in sandboxes/containers with minimal filesystem access.

Sources

• GitHub Advisory — GitHub Kanban MCP Server command injection
• NVD — CVE-2025-53818
• Vulnerable handler (comment-handlers.ts)