Add MCPJam Inspector command execution exploit#21655
Open
earthenvessel wants to merge 1 commit into
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
This PR adds a new exploit module for CVE-2026-23744, an unauthenticated command execution vulnerability in MCPJam Inspector.
The module targets the
/api/mcp/connectendpoint. Vulnerable versions accept a JSONserverConfigobject containing acommandandargsarray, then use those values to start an MCP server. When MCPJam Inspector is exposed on a routable interface, an unauthenticated remote attacker can abuse this behavior to execute operating system commands as the user running MCPJam Inspector.The module currently supports Unix command payloads. By default, it starts a transient stdio MCP server and executes the selected Metasploit command payload through MCPJam Inspector's MCP tools API. A direct
/bin/sh -cexecution path is also available withEXEC_METHOD=direct_sh.This change also adds module documentation under
documentation/modules.During testing, the GitHub Security Advisory's affected range appeared to be narrower than observed behavior. The advisory lists affected versions as <= 1.4.2, but source builds through v1.4.6 were exploitable. The first fixed GitHub tag identified during testing was v1.5.0, which requires session-token authentication for the relevant API endpoints.
Related Issue: N/A
Breaking Changes
None
Reviewer Notes
Start with:
modules/exploits/multi/http/mcpjam_inspector_rce.rbdocumentation/modules/exploit/multi/http/mcpjam_inspector_rce.mdThe module intentionally targets Unix command payloads only. Windows support is left out of scope for this initial PR because it was not tested against a Windows MCPJam Inspector deployment.
The
checkmethod performs the following:Unauthorized/Session token required.Verification Steps
msfconsoleand load the module:checkand verify that the target is reported vulnerable:Expected result:
cmd/unix/generic:Expected result: The module executes
idand prints command output from the target.Expected result: A command shell session opens.
check.Expected result:
Test Evidence
The module was tested against MCPJam Inspector versions built from GitHub source:
Successful payload coverage included:
•
cmd/unix/generic•
cmd/unix/reverse_nodejs•
cmd/unix/reverse_bash•
cmd/unix/reverse_perl•
cmd/unix/reverse_python•
cmd/unix/reverse_netcat•
cmd/unix/bind_nodejs•
cmd/unix/python/pingback_reverse_tcp•
cmd/unix/python/shell_reverse_tcpExample vulnerable target check:
Example command execution:
Example reverse shell:
Example fixed-version check against v1.5.0:
Quality checks:
Environment
AI Usage Disclosure
AI assistance was used during development and testing. Hermes Agent was used to assist with module and documentation drafting and test orchestration. All code and documentation were manually reviewed/tested.
Pre-Submission Checklist
documentation/moduleslib/changes)