Skip to content

[AVE] New class: tool-implementation-command-injection (content layer) #32

Description

@chaksaray

Before you open this issue

  • I have searched the registry at ave.bawbel.io and the records/ directory
  • This is a genuinely distinct behavioral class, not a variant of an existing record
  • I have a citable primary source (CVE, paper, disclosure, or working PoC)

Behavioral fingerprint

An MCP tool's own server-side handler code passes a caller-supplied tool-call parameter value into a shell/system-command execution call without sanitization, achieving arbitrary OS command execution independent of any LLM reasoning or prompt content — a non-agentic attacker can trigger it with a raw, crafted JSON-RPC tool-call request.

Why this is a new class, not a variant

Checked against AVE-2026-00004 (Shell Pipe Injection) and AVE-2026-00033 (Unsafe Deserialization). Both describe skill/prompt content instructing the agent, via natural language, to construct and run a dangerous command — the vulnerability lives in what the text tells the LLM to do, and detection is content-layer prompt scanning.

This candidate is different in kind: a classic CWE-78 flaw in the tool's own implementation code (e.g. an execAsync handler). No LLM instruction-following is involved — the flaw fires on a raw tool-call parameter value regardless of how or why that value arrived. Detection requires SAST/code review of the server's source, not content-layer prompt scanning. Folding this into 00004 would erase the distinction between prompt-driven misuse of a legitimate capability and a code-level injection bug in the capability's own implementation.

Primary source

NVD CVE-2026-0755 — gemini-mcp-tool v1.1.2, CWE-78 (OS Command Injection), CVSS 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Root cause: the execAsync method fails to validate a user-supplied string before passing it to a system call. Corroborated by Snyk SNYK-JS-GEMINIMCPTOOL-15091895 and the GitLab Advisory Database. Verified directly against NVD, not taken from search-summary text.

Proposed record skeleton

attack_class:        Tool Abuse - Implementation Command Injection  (naming open to discussion —
                      first record describing a code-level flaw in a tool's OWN implementation
                      rather than prompt-driven misuse; may warrant its own category)
severity:             CRITICAL (est.)
owasp_mcp:            [MCP05, MCP04]   (MCP05 = Command Injection and Execution, exact-match
                      category per crosswalks/ave-to-owasp-mcp.md; MCP04 = Software Supply Chain
                      Attacks, secondary, since the flaw ships inside a distributed tool package)
owasp_asi:            (none proposed — TBD during implementation)
mitre_atlas:          none — classic CWE-78, outside ATLAS's ML-adversarial-technique scope (checked)
detection_layer:      content   (closest existing enum value — this scans the tool's OWN source,
                      not a skill/prompt file; flagging that this stretches the current five-layer
                      taxonomy's naming slightly, worth a decision during implementation)
detection_stage:      static_detection
evidence_basis_engines: [semgrep, pattern]

Note: this repo completed a v1.1.0 field rename (owasp_mappingowasp_asi,
mitre_atlas_mappingmitre_atlas) after .github/ISSUE_TEMPLATE/01_ave_submission.md
was last written — the template still shows the pre-rename field names. Using the current
(post-migration) names above since that's what schema/ave-record-1.1.0.schema.json
actually validates against; the template is due for a small doc-sync follow-up.

Real-world evidence

CVE-2026-0755, CVSS 9.8, patched in gemini-mcp-tool 1.1.6. Real, disclosed, unauthenticated RCE — pushes THM toward 1.0 in AIVSS scoring.

Indicators of compromise

  • Tool handler code passes a raw, caller-supplied string parameter directly into exec() / execSync() / child_process.exec() / execAsync() with no argument-array separation or shell-metacharacter escaping
  • Absence of an allowlist or sanitization step between a tool's declared parameter schema and its shell/system-call invocation

Researcher

Bawbel Security Research Team (research-new-attack-classes skill run, 2026-07-10)

Metadata

Metadata

Assignees

No one assigned

    Labels

    ave-recordAdding or modifying an AVE recordnew-classGenuinely new behavioral class, not a variantresearch-sourcedTraced to a citable primary source via research-new-attack-classes

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions